New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

acinclude.m4: improve autodetection of CA bundle on FreeBSD #894

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@michael-o
Member

michael-o commented Jun 24, 2016

The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to
/usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.

configure output:

configure: Configured to build curl/libcurl:

  curl version:     7.50.0-DEV
  Host setup:       i386-unknown-freebsd9.3
  Install prefix:   /net/home/osipovmi/freebsd-ca-bundle
  Compiler:         gcc
  SSL support:      enabled (OpenSSL)
  SSH support:      enabled (libSSH2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  enabled
  resolver:         default (--enable-ares / --enable-threaded-resolver)
  IPv6 support:     no      (--enable-ipv6)
  Unix sockets support: enabled
  IDN support:      enabled
  Build libcurl:    Shared=yes, Static=yes
  Built-in manual:  enabled
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   enabled (--disable-verbose)
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   /usr/local/share/certs/ca-root-nss.crt
  ca cert path:     no
  ca fallback:      no
  LDAP support:     enabled (OpenLDAP)
  LDAPS support:    enabled
  RTSP support:     enabled
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)
  Protocols:        DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS LDAP LDAPS POP3 POP3S RTSP SCP SFTP SMB SMBS SMTP SMTPS TELNET TFTP

curl-config output:

$ ~/freebsd-ca-bundle/bin/curl-config --ca
/usr/local/share/certs/ca-root-nss.crt

Sample request:

$ ~/freebsd-ca-bundle/bin/curl -I --verbose https://<server>
*   Trying <IP>...
* Connected to <server> (<IP>) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=...; C=DE; CN=<server>
*  SSL certificate verify ok.
acinclude.m4: improve autodetection of CA bundle on FreeBSD
The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to
/usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.
@jay

This comment has been minimized.

Member

jay commented Jun 24, 2016

While yours may have this (and so does mine) I assume there's a good reason /usr/local/share/certs/ca-root.crt was there...

@michael-o

This comment has been minimized.

Member

michael-o commented Jun 24, 2016

There is no usr/local/share/certs/ca-root.crt from ports. This is not a standard file location. Tagging this as FreeBSD is simply not correct.

@jay

This comment has been minimized.

Member

jay commented Jun 25, 2016

You've skirted my point, that's not proof it's not correct. Someone put it in there, I assume with good reason, and just because there's nothing in there that adds it now doesn't mean at some past point it wasn't valid. We have to support a wide array of systems, including legacy stuff. We should leave it unless we know it was a typo or something. You can put it above so the search order is like

/usr/local/share/certs/ca-root-nss.crt FreeBSD
/usr/local/share/certs/ca-root.crt older FreeBSD

git blame puts it at 304537c , anything to add @dfandrich ?

@dfandrich

This comment has been minimized.

Collaborator

dfandrich commented Jun 25, 2016

@michael-o

This comment has been minimized.

Member

michael-o commented Jun 25, 2016

@jay This may be handcrafted on the system Dan used. No evidence for an old canocical location. The ports system is not tied to a FreeBSD version. All versions used the same ports. So if if you have 8.x, 9.x, 10.x, the CA bundle will be either in /usr/local or /etc/ssl. That is how I have documented it. Moreover, the FreeBSD curl port does not even rely on this loop. It passes the path directly to configure.

@jay

This comment has been minimized.

Member

jay commented Jun 26, 2016

It's just not enough to convince me to remove it. I agree the nss bundle should be in the search.

Distantly related: requests/requests#2899

@michael-o

This comment has been minimized.

Member

michael-o commented Jun 26, 2016

@jay This actually reflects what I am saying. If you do not know what this is for and don't want to remove it, lets keep it and tag as (unknown). @dfandrich Would you remove it these days because it have introduced it?

@jay

This comment has been minimized.

Member

jay commented Jun 27, 2016

We do know what it's for, it's for older FreeBSD until proved otherwise. It shouldn't be unknown it should be changed to FreeBSD (legacy) or older FreeBSD something like that.

@michael-o

This comment has been minimized.

Member

michael-o commented Jun 27, 2016

@jay Here is the proof: The port was added 2007-07-06 and the Makefile already contained the filename ca-root-nss.crt. See revision 195105, line 52 to 55, do-build target. If you take a closer look at it with blame, you'll see that the filename hasn't changed since then. Is that proof enough?

@jay

This comment has been minimized.

Member

jay commented Jun 27, 2016

That's not proof that ca-root.crt wasn't in use with older FreeBSD, it's just proof that ca-root-nss was added. Also see https://bugs.python.org/msg192601

@bagder

This comment has been minimized.

Member

bagder commented Jun 27, 2016

I'll agree with @jay that the evidence seems to suggest that the path was used used at some point in time (up to 2008?). It seems safest to just add detection of the new path.

@michael-o

This comment has been minimized.

Member

michael-o commented Jun 27, 2016

@jay While I need to admit that you are right here, that there port has been removed the tree in 2008, no official FreeBSD version is available from that time and it is not available in the ports tree which means that with the next ports update, there won't be any update or the port will be removed.

If you still insist on it, I can readd the all as FreeBSD (legacy). Is that OK for you?

@michael-o

This comment has been minimized.

Member

michael-o commented Jun 27, 2016

For the record, revision 215953 removed the old port. This was 8 years ago. The last version to use this was FreeBSD 7.0-RELEASE.

@bagder

This comment has been minimized.

Member

bagder commented Jun 27, 2016

I changed my mind. 8 years is a very long time. Let's remove that legacy path.

It would still be easy to work-around for anyone who's trapped with a legacy system from back then.

@bagder bagder closed this in d61c805 Jun 27, 2016

@bagder

This comment has been minimized.

Member

bagder commented Jun 27, 2016

Thanks for all the comments, work and input on this!

@bagder bagder added the build label Jun 27, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment