[Midnightbsd-cvs] [MidnightBSD/src] f48494: libfetch: don't rely on ca_root_nss for certificat...
Michael Osipov
noreply at github.com
Fri Nov 24 01:17:06 EST 2023
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: f4849477709addf5f9db2f4ffdc49f3d13dfbd48
https://github.com/MidnightBSD/src/commit/f4849477709addf5f9db2f4ffdc49f3d13dfbd48
Author: Michael Osipov <michael.osipov at siemens.com>
Date: 2023-11-24 (Fri, 24 Nov 2023)
Changed paths:
M lib/libfetch/common.c
Log Message:
-----------
libfetch: don't rely on ca_root_nss for certificate validation
Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.
We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.
With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.
PR: 256902
MFC after: 3 days
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42059
(cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59)
More information about the Midnightbsd-cvs
mailing list