mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 21:05:08 +00:00
libfetch: don't rely on ca_root_nss for certificate validation
Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059
This commit is contained in:
parent
0afcac3e37
commit
09f5c1e118
|
@ -1055,8 +1055,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
|
|||
/*
|
||||
* Configure peer verification based on environment.
|
||||
*/
|
||||
#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem"
|
||||
#define BASE_CERT_FILE "/etc/ssl/cert.pem"
|
||||
static int
|
||||
fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
|
||||
{
|
||||
|
@ -1066,12 +1064,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
|
|||
|
||||
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
|
||||
ca_cert_file = getenv("SSL_CA_CERT_FILE");
|
||||
if (ca_cert_file == NULL &&
|
||||
access(LOCAL_CERT_FILE, R_OK) == 0)
|
||||
ca_cert_file = LOCAL_CERT_FILE;
|
||||
if (ca_cert_file == NULL &&
|
||||
access(BASE_CERT_FILE, R_OK) == 0)
|
||||
ca_cert_file = BASE_CERT_FILE;
|
||||
ca_cert_path = getenv("SSL_CA_CERT_PATH");
|
||||
if (verbose) {
|
||||
fetch_info("Peer verification enabled");
|
||||
|
|
Loading…
Reference in a new issue