From 2821a7498f65d357c68166e1978b491abef1ca4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Sun, 8 Oct 2023 06:35:15 +0200
Subject: [PATCH] libfetch, fetch: Stop recommending the use of ca_root_nss.

MFC after:	3 days
Reviewed by:	kevans, emaste
Differential Revision:	https://reviews.freebsd.org/D42119
---
 lib/libfetch/fetch.3  | 15 +--------------
 usr.bin/fetch/fetch.1 | 14 ++------------
 2 files changed, 3 insertions(+), 26 deletions(-)

diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3
index 9082f338f7c1..5f7489799cf6 100644
--- a/lib/libfetch/fetch.3
+++ b/lib/libfetch/fetch.3
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 24, 2020
+.Dd October 7, 2023
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -409,19 +409,6 @@ library,
 is currently unimplemented.
 .Sh HTTPS SCHEME
 Based on HTTP SCHEME.
-By default the peer is verified using the CA bundle located in
-.Pa /usr/local/etc/ssl/cert.pem .
-If this file does not exist,
-.Pa /etc/ssl/cert.pem
-is used instead.
-If neither file exists, and
-.Ev SSL_CA_CERT_PATH
-has not been set,
-OpenSSL's default CA cert and path settings apply.
-The certificate bundle can contain multiple CA certificates.
-A common source of a current CA bundle is
-.Pa \%security/ca_root_nss .
-.Pp
 The CA bundle used for peer verification can be changed by setting the
 environment variables
 .Ev SSL_CA_CERT_FILE
diff --git a/usr.bin/fetch/fetch.1 b/usr.bin/fetch/fetch.1
index 2737373c98bf..7238226998fc 100644
--- a/usr.bin/fetch/fetch.1
+++ b/usr.bin/fetch/fetch.1
@@ -28,7 +28,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd October 29, 2020
+.Dd October 7, 2023
 .Dt FETCH 1
 .Os
 .Sh NAME
@@ -131,18 +131,8 @@ only.
 .It Fl -ca-cert= Ns Ar file
 [SSL]
 Path to certificate bundle containing trusted CA certificates.
-If not specified,
-.Pa /usr/local/etc/ssl/cert.pem
-is used.
-If this file does not exist,
-.Pa /etc/ssl/cert.pem
-is used instead.
-If neither file exists and no CA path has been configured,
+Otherwise,
 OpenSSL's default CA cert and path settings apply.
-The certificate bundle can contain multiple CA certificates.
-The
-.Pa security/ca_root_nss
-port is a common source of a current CA bundle.
 .It Fl -ca-path= Ns Ar dir
 [SSL]
 The directory