Re: Trouble with pkgsrc

[RVP <rvp%SDF.ORG@localhost>]

On Tue, 17 Jan 2023, Benny Siegert wrote:

> Ideally, you install pkgin over http, then use pkgin for installing
> the rest from binary packages. It does proper HTTPS, better dependency
> resolution and more.

Yeah, that's what I do usually.

On Tue, 17 Jan 2023, Joerg Sonnenberger wrote:

> Am Tue, Jan 17, 2023 at 10:53:08AM +0000 schrieb RVP:
> > The fix for _this_ issue is pretty simple, but, it changes the
> > libfetch API a bit.
>
> It doesn't.

Right. (Seeing the `fetch' prefix, I wasn't certain that fetch_ssl() 
wasn't also an external API func.)

On Tue, 17 Jan 2023, Michael van Elst wrote:

> This seems to work without API changes:
> [...]
> +       if (!SSL_set_tlsext_host_name(conn->ssl, conn->cache_url->host)) {
> +               fprintf(stderr, "SSL hostname setting failed\n");
> +               return (-1);
> +       }

Ah, that's clever. I had come up with the patch below :). But, as Joerg
said, better to just update the system version to either the pkgsrc
version or the FreeBSD one. Both have other useful features like HTTP
CONNECT. The system version doesn't support HTTPS proxy connections.

On Tue, 17 Jan 2023, Jonathan Perkin wrote:

> Note that pkgin uses libfetch too, so this will only be true if you are using
> the libfetch from pkgsrc (which will depend on your PREFER settings).

Didn't realize pkgsrc had libfetch too (of course it does). And that
already has the SNI fix (applied back in 2014).

-RVP

---START---
diff -urN fetch.orig/dist/libfetch/common.c fetch/dist/libfetch/common.c
--- fetch.orig/dist/libfetch/common.c	2011-06-25 20:27:01.000000000 +0000
+++ fetch/dist/libfetch/common.c	2023-01-17 09:14:28.260465069 +0000
@@ -430,7 +430,7 @@
  * Enable SSL on a connection.
  */
 int
-fetch_ssl(conn_t *conn, int verbose)
+fetch_ssl(conn_t *conn, char* host, int verbose)
 {

 #ifdef WITH_SSL
@@ -451,6 +451,8 @@
 		fprintf(stderr, "SSL context creation failed\n");
 		return (-1);
 	}
+	if (host)
+		SSL_set_tlsext_host_name(conn->ssl, host);
 	SSL_set_fd(conn->ssl, conn->sd);
 	if (SSL_connect(conn->ssl) == -1){
 		ERR_print_errors_fp(stderr);
diff -urN fetch.orig/dist/libfetch/common.h fetch/dist/libfetch/common.h
--- fetch.orig/dist/libfetch/common.h	2014-01-07 02:13:00.000000000 +0000
+++ fetch/dist/libfetch/common.h	2023-01-17 09:14:57.833054161 +0000
@@ -98,7 +98,7 @@
 void		 fetch_cache_put(conn_t *, int (*)(conn_t *));
 conn_t		*fetch_connect(struct url *, int, int);
 conn_t		*fetch_reopen(int);
-int		 fetch_ssl(conn_t *, int);
+int		 fetch_ssl(conn_t *, char *, int);
 ssize_t		 fetch_read(conn_t *, char *, size_t);
 int		 fetch_getln(conn_t *);
 ssize_t		 fetch_write(conn_t *, const void *, size_t);
diff -urN fetch.orig/dist/libfetch/http.c fetch/dist/libfetch/http.c
--- fetch.orig/dist/libfetch/http.c	2014-01-07 02:13:00.000000000 +0000
+++ fetch/dist/libfetch/http.c	2023-01-17 09:49:15.351723899 +0000
@@ -714,8 +714,6 @@
 	int val;
 #endif

-	*cached = 1;
-
 #ifdef INET6
 	af = AF_UNSPEC;
 #else
@@ -741,13 +739,14 @@
 	if ((conn = fetch_cache_get(URL, af)) != NULL) {
 		*cached = 1;
 		return (conn);
-	}
+	} else
+		*cached = 0;

 	if ((conn = fetch_connect(URL, af, verbose)) == NULL)
 		/* fetch_connect() has already set an error code */
 		return (NULL);
 	if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
-	    fetch_ssl(conn, verbose) == -1) {
+	    fetch_ssl(conn, URL->host, verbose) == -1) {
 		fetch_close(conn);
 		/* grrr */
 #ifdef EAUTH
@@ -1189,7 +1188,8 @@
 		fetchFreeURL(purl);

 	if (HTTP_ERROR(conn->err)) {
-
+		if (verbose)
+			fetch_info("got HTTP error: %d", conn->err);
 		if (keep_alive) {
 			char buf[512];
 			do {
---END---