The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to
/usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.
configure: Configured to build curl/libcurl:
curl version: 7.50.0-DEV
Host setup: i386-unknown-freebsd9.3
Install prefix: /net/home/osipovmi/freebsd-ca-bundle
SSL support: enabled (OpenSSL)
SSH support: enabled (libSSH2)
zlib support: enabled
GSS-API support: no (--with-gssapi)
TLS-SRP support: enabled
resolver: default (--enable-ares / --enable-threaded-resolver)
IPv6 support: no (--enable-ipv6)
Unix sockets support: enabled
IDN support: enabled
Build libcurl: Shared=yes, Static=yes
Built-in manual: enabled
--libcurl option: enabled (--disable-libcurl-option)
Verbose errors: enabled (--disable-verbose)
SSPI support: no (--enable-sspi)
ca cert bundle: /usr/local/share/certs/ca-root-nss.crt
ca cert path: no
ca fallback: no
LDAP support: enabled (OpenLDAP)
LDAPS support: enabled
RTSP support: enabled
RTMP support: no (--with-librtmp)
metalink support: no (--with-libmetalink)
PSL support: no (libpsl not found)
HTTP2 support: disabled (--with-nghttp2)
Protocols: DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS LDAP LDAPS POP3 POP3S RTSP SCP SFTP SMB SMBS SMTP SMTPS TELNET TFTP
$ ~/freebsd-ca-bundle/bin/curl-config --ca
$ ~/freebsd-ca-bundle/bin/curl -I --verbose https://<server>
* Trying <IP>...
* Connected to <server> (<IP>) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=...; C=DE; CN=<server>
* SSL certificate verify ok.
acinclude.m4: improve autodetection of CA bundle on FreeBSD
While yours may have this (and so does mine) I assume there's a good reason /usr/local/share/certs/ca-root.crt was there...
There is no usr/local/share/certs/ca-root.crt from ports. This is not a standard file location. Tagging this as FreeBSD is simply not correct.
You've skirted my point, that's not proof it's not correct. Someone put it in there, I assume with good reason, and just because there's nothing in there that adds it now doesn't mean at some past point it wasn't valid. We have to support a wide array of systems, including legacy stuff. We should leave it unless we know it was a typo or something. You can put it above so the search order is like
/usr/local/share/certs/ca-root.crt older FreeBSD
git blame puts it at 304537c , anything to add @dfandrich ?
@jay This may be handcrafted on the system Dan used. No evidence for an old canocical location. The ports system is not tied to a FreeBSD version. All versions used the same ports. So if if you have 8.x, 9.x, 10.x, the CA bundle will be either in /usr/local or /etc/ssl. That is how I have documented it. Moreover, the FreeBSD curl port does not even rely on this loop. It passes the path directly to configure.
It's just not enough to convince me to remove it. I agree the nss bundle should be in the search.
Distantly related: kennethreitz/requests#2899
@jay This actually reflects what I am saying. If you do not know what this is for and don't want to remove it, lets keep it and tag as (unknown). @dfandrich Would you remove it these days because it have introduced it?
We do know what it's for, it's for older FreeBSD until proved otherwise. It shouldn't be unknown it should be changed to FreeBSD (legacy) or older FreeBSD something like that.
@jay Here is the proof: The port was added 2007-07-06 and the Makefile already contained the filename ca-root-nss.crt. See revision 195105, line 52 to 55, do-build target. If you take a closer look at it with blame, you'll see that the filename hasn't changed since then. Is that proof enough?
That's not proof that ca-root.crt wasn't in use with older FreeBSD, it's just proof that ca-root-nss was added. Also see https://bugs.python.org/msg192601
I'll agree with @jay that the evidence seems to suggest that the path was used used at some point in time (up to 2008?). It seems safest to just add detection of the new path.
@jay While I need to admit that you are right here, that there port has been removed the tree in 2008, no official FreeBSD version is available from that time and it is not available in the ports tree which means that with the next ports update, there won't be any update or the port will be removed.
If you still insist on it, I can readd the all as FreeBSD (legacy). Is that OK for you?
For the record, revision 215953 removed the old port. This was 8 years ago. The last version to use this was FreeBSD 7.0-RELEASE.
I changed my mind. 8 years is a very long time. Let's remove that legacy path.
It would still be easy to work-around for anyone who's trapped with a legacy system from back then.
The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
This change also removes the former FreeBSD path that has been obsolete
for 8 years since this FreeBSD ports commit:
Thanks for all the comments, work and input on this!