[MacPorts] #19247: openssl doesn't install any certificates
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Port Bugs Component: ports | Version: 1.7.1 Keywords: | Port: -------------------------------+-------------------------------------------- I had to copy the set of trusted root certificates over from my Linux box. This has really bad consequences, e.g. for people using SVN. -- Ticket URL: <http://trac.macports.org/ticket/19247> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.7.1 Keywords: | Port: -------------------------------+-------------------------------------------- Changes (by blb@…): * priority: High => Normal Comment: OpenSSL doesn't install any certificates by design, see [http://www.openssl.org/support/faq.html#USER16 their FAQ]. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar? -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:1> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.7.1 Keywords: | Port: -------------------------------+-------------------------------------------- Comment(by dave@…): Replying to [comment:1 blb@…]:
OpenSSL doesn't install any certificates by design, see [http://www.openssl.org/support/faq.html#USER16 their FAQ]. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?
I'm saying precisely this: 1. There should be a package that installs all the standard ca- certificates in the place where openssl's default config looks for them, which happens to be /opt/local/etc/openssl/certs 2. either A. the openssl package should depend on this package (that's the case on Ubuntu Linux, for example), or B. Subversion should depend on it -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:2> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.7.1 Keywords: | Port: -------------------------------+-------------------------------------------- Comment(by dave@…): Hmm, my FreeBSD box also appears to have openssl and subversion with no certificate bundle, so maybe my argument for #2 above is a bit weak. I ran into the problem with svn because one of the tools I use (psvn.el) started passing --non-interactive to its svn update commands, and svn fails in that case unless the certificates are validated... even if you've already permanently accepted a security exception. Maybe this is an SVN bug. -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:3> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.7.1 Keywords: | Port: -------------------------------+-------------------------------------------- Comment(by dave@…): Hmm, just found http://subversion.tigris.org/issues/show_bug.cgi?id=3059, which I think explains problem #2. So maybe this could be worked around in the mac port somehow? I still want a certificate bundle package that installs where openssl expects to find it :-) -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:4> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.7.1 Keywords: | Port: -------------------------------+-------------------------------------------- Changes (by raimue@…): * cc: raimue@… (added) Comment: I don't think we have the resources or knowledge to do our own auditing for root CAs, so we would have to rely on existing bundles. I was unable to locate a root CA bundle on Mac OS X itself, it is not at /etc/openssl/certs. So how and against what would /usr/bin/svn validate certificates? -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:5> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------+-------------------------------------------- Reporter: dave@… | Owner: mww@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Keywords: | Port: openssl -------------------------------+-------------------------------------------- Changes (by raimue@…): * owner: macports-tickets@… => mww@… * type: defect => enhancement * port: => openssl -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:7> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates --------------------------------+------------------------------------------- Reporter: dave@… | Owner: mww@… Type: enhancement | Status: closed Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: wontfix | Keywords: Port: openssl | --------------------------------+------------------------------------------- Changes (by raimue@…): * status: new => closed * resolution: => wontfix Comment: openssl should and will not install certificates. -- Ticket URL: <http://trac.macports.org/ticket/19247#comment:8> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates --------------------------------+------------------------------------------- Reporter: dave@… | Owner: mww@… Type: enhancement | Status: reopened Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: | Keywords: Port: openssl | --------------------------------+------------------------------------------- Changes (by nikolaus@…): * status: closed => reopened * resolution: wontfix => Comment: Just beacause openssl should not install certificates does not mean that there should not be a port that installs certifcates in a way that openssl finds and uses them. Therefore I think this enhancement is valid and should not be closed with wontfix. There is already curl-ca-bundle, but unless you do somehting like {{{ sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem }}} it is not useful in e.g. svn. Note that there seems to be also this unaddressed issue: #29970 -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:9> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates --------------------------------+------------------------------------------- Reporter: dave@… | Owner: mww@… Type: enhancement | Status: reopened Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: | Keywords: Port: openssl | --------------------------------+------------------------------------------- Comment(by nikolaus@…): Here are posts / discussions showing that people have issues related to this problem: * http://groups.google.com/group/subversion_users/browse_thread/thread/38dbc2a... * http://blog.55minutes.com/post/15406257966/fixing-https-certificate- errors-in-wget-and-ruby -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:11> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------------+-------------------------------------- Reporter: dave@… | Owner: mww@… Type: enhancement | Status: reopened Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: | Keywords: Port: openssl curl-ca-bundle | -------------------------------------+-------------------------------------- Changes (by raimue@…): * cc: ryandesign@… (added) * port: openssl => openssl curl-ca-bundle Comment: Adding the curl-ca-bundle to openssl makes sense to me. I think the symlink should be added by the curl-ca-bundle port. Adding Ryan as maintainer to CC. -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:12> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: openssl doesn't install any certificates -------------------------------------+-------------------------------------- Reporter: dave@… | Owner: mww@… Type: enhancement | Status: reopened Priority: Normal | Milestone: Component: ports | Version: 1.7.1 Resolution: | Keywords: Port: openssl curl-ca-bundle | -------------------------------------+-------------------------------------- Comment(by ryandesign@…): So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt? -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:13> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Changes (by jmr@…): * status: reopened => new * cc: blair@… (added) * version: 1.7.1 => * owner: mww@… => dluke@… * port: openssl curl-ca-bundle => subversion curl-ca-bundle -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:14> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Comment(by nikolaus@…): Replying to [comment:13 ryandesign@…]:
So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?
Do we need to deal with the fact that /opt/local/etc/openssl/cert.pem might already exists (created by the user). Is it possible to put such a symlink in /opt/local/etc/openssl/certs/ also (except that there is #29970), or does this folder need to have the hashvalues of the certificates as filenames for the whole thing to work? -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:15> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Comment(by jmr@…): The attached should do it for subversion, provided curl-ca-bundle also installs the link. I tried using the ssl-authority-files setting but it only recognises one cert per file (because that's all the underlying functions in neon and serf will do). -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:16> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Comment(by ryandesign@…): Replying to [comment:16 jmr@…]:
The attached should do it for subversion, provided curl-ca-bundle also installs the link.
curl-ca-bundle now does as of r90121. -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:18> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Comment(by dluke@…): I guess that's my queue, I'll test the patches shortly and get an update to subversion ready. -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:19> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: assigned Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Changes (by dluke@…): * status: new => assigned -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:20> MacPorts <http://www.macports.org/> Ports system for Mac OS
#19247: subversion should use curl-ca-bundle certificates out of the box ----------------------------------------+----------------------------------- Reporter: dave@… | Owner: dluke@… Type: enhancement | Status: closed Priority: Normal | Milestone: Component: ports | Version: Resolution: fixed | Keywords: Port: subversion curl-ca-bundle | ----------------------------------------+----------------------------------- Changes (by dluke@…): * status: assigned => closed * resolution: => fixed Comment: r90123, thanks! -- Ticket URL: <https://trac.macports.org/ticket/19247#comment:21> MacPorts <http://www.macports.org/> Ports system for Mac OS
participants (1)
-
MacPorts