Test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH #1368
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prior to this patch, unless SSL_CA_CERT_FILE is set in the environment, libfetch will set the CA file to "/usr/local/etc/cert.pem" if it exists, and to "/etc/ssl/cert.pem" otherwise. This has the consequence of masking SSL_CA_CERT_PATH, because OpenSSL will ignore the CA path if a CA file is set but fails to load (see X509_STORE_load_locations()). While here, fall back to OpenSSL defaults if neither SSL_CA_CERT_FILE nor SSL_CA_CERT_PATH are set in the environment, and if neither of the libfetch default CA files exists. This patch is also submitted upstream against [PR 193871](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193871) as [review D4771](https://reviews.freebsd.org/D4771).
|
I should have said, "This has the consequence of masking |
|
I first need to update libfetch to the latest version and see how this apply |
|
Two weeks ago I led myself to believe that pkg already has the latest version of libfetch, but I wouldn't swear to it now. |
|
Merged thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prior to this patch, unless
SSL_CA_CERT_FILEis set in the environment, libfetch will set the CA file to "/usr/local/etc/cert.pem" if it exists, and to "/etc/ssl/cert.pem" otherwise. This has the consequence of maskingSSL_CA_CERT_PATH, because OpenSSL will ignore the CA path if a CA file is set but fails to load (seeX509_STORE_load_locations()).While here, fall back to OpenSSL defaults if neither
SSL_CA_CERT_FILEnorSSL_CA_CERT_PATHare set in the environment, and if neither of the libfetch default CA files exists.This patch is also submitted upstream against PR 193871 as review D4771.