pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/50690: lang/go invalid path to ca-certificates.crt



The following reply was made to PR pkg/50690; it has been noted by GNATS.

From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/50690: lang/go invalid path to ca-certificates.crt
Date: Fri, 22 Jan 2016 16:11:44 +0100

 Hello Kamil, Benny and Thomas,
 
 Thomas Klausner writes:
 >  NetBSD doesn't ship this at all.
 >  =
 
 >  And security/mozilla-rootcerts defaults to /etc/openssl/certs.
 That's true, altough after ktruss(1)-ing various applications that uses
 SSL certificates it seems that they all end up to first try
 /etc/openssl/cert.pem and then find a valid certificate in /etc/openssl,
 e.g.:
 
  $ ktruss openssl s_client -connect netbsd.org:443 < /dev/null 2>/dev/null=
  | sed -ne '/open/ { /etc/p }'
    [...]
    5134      1 openssl  open("/etc/openssl/cert.pem", 0, 0x1b6) Err#2 ENOE=
 NT
    [...]
    5134      1 openssl  __stat50("/etc/openssl/certs/e2799e36.0", 0x7f7fff=
 ffcb90) =3D 0
    5134      1 openssl  open("/etc/openssl/certs/e2799e36.0", 0, 0x1b6) =3D=
  6
    [...]
 
 After trying to better figure out that it seems that in
 src/crypto/external/bsd/openssl/dist/crypto/cryptlib.h:83, we have:
 
  [...]
  #  define X509_CERT_AREA          OPENSSLDIR
  #  define X509_CERT_DIR           OPENSSLDIR "/certs"
  #  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
  #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
  [...]
 
 (...where OPENSSLDIR is defined in src/crypto/Makefile.openssl as
 "/etc/openssl")
 
 So, the best way to handle this PR IMHO is to:
  - pkgsrc/security/mozilla-rootcerts: change $certdir to
    "/etc/openssl" (line 24) and "ca-certificates.crt" (line 205)
    in files/mozilla-rootcerts.sh
  - update lang/go (and probably lang/go14 too) accordingly
    to use "/etc/openssl/cert.pem" as certFiles.
 
 I can handle both if need but I'd like a feedback from a more
 experienced eyes than mine!
 
 
 Thank you in advance!
 Ciao,
 L.
 


Home | Main Index | Thread Index | Old Index