The port creates /etc/ssl directory with the default option, but until now,
did not remove it upon deinstallation. While technically this requires
a revbump, rebuilding this port to fix a cleanup step would cause a
tremendous amount of fallout and it's not worth the pain IMO.
PR: 213121
Approved by: feld (ports-secteam)
everything at once. Sometime, rename post-install into a options helper
target.
I did not fix ports that were such a mess that I could not figure out
what they really wanted to do. I also did not change ports that had
some version of an auto-plist code in post-install, for the same reason.
With hat: portmgr
Sponsored by: Absolight
Enable the ETCSYMLINK option so that SSL certificate verification is
enabled by default for OpenSSL in base.
This change is the third in a set of changes [1][2] that improves the
default configuration and behaviour of client software relying on
OpenSSL for SSL/TLS and certificate verification.
A symlink is installed which points to the root certificate bundle in
the location that OpenSSL in base looks for them, as configured at build
time [2].
This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.
[1] https://svnweb.freebsd.org/changeset/ports/372629
[2] https://svnweb.freebsd.org/changeset/ports/378720
PR: 189811 196357
Requested by: many
Submitted by: dreamcat4 gmail com
Approved by: maintainer timeout (>1 year)
Since 2.7.9, Python verifies SSL certificates by default. Currently,
even with security/ca_root_nss installed, Python fails certificate
verification.
Upon investigation, Python uses OpenSSL's standard
SSL_CTX_load_verify_locations function to load a list of CA root
certificates.
Support was added to ca_root_nss for "out of the box" certificate
verification for a number of base utilities in r372629 [1], but this
did not include support for software that uses OpenSSL's
SSL_CTX_load_verify_locations function.
[1] https://svnweb.freebsd.org/changeset/ports/372629
OpenSSL defaults (at compile time) to the following paths and filenames
for certificate and CAFile lookup:
Base:
SSL_CERT_DIR=/etc/ssl/certs
SSL_CERT_FILE/etc/ssl/cert.pem
Ports:
SSL_CERT_DIR=/usr/local/openssl/certs
SSL_CERT_FILE=/usr/local/openssl/cert.pem
This change installs a symlink which points to the root certificate
bundle in the location that OpenSSL from ports looks for them.
This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.
Additionally, display a pkg-message to the user about the lack of
warranty associated with these certificates.
Note: This is *NOT* related to solving for SSL certificate verification
for OpenSSL in Base, which is covered in bug 189811.
While I'm here:
- Add LICENSE
- Use options helpers and OPTIONS_SUB
- Fix typo in !!! message !!!
PR: 196431
Submitted by: koobs
Reviewed by: jbeich
Approved by: maintainer timeout (1 month)
- Update gmp-api to 35.0
- Update openh264 to 1.2
- Update NSS to 3.17.3
- Update Firefox to 34.0.5
- Update Firefox ESR 31.3.0
- Update libxul to 31.3.0
- Improve CONFIGURE_TARGET handling
- Always build using client.mk
- Switch to clang by default on systems without libc++
(/stable/8 and /stable/9)
- Drop lang/python2 dependency, only lang/python27 is required
to build
- Use DuckDuckGo searchplugin from upstream (has suggestions
and purposes)
- Backport a few about:memory fixes
- Backport Web Notifications libnotify integration
- Add GTK3 option for www/firefox. Adwaita is a bit broken
since Gtk 3.14, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1073117
PR: 195559
Submitted by: Jan Beich
MFH: 2014Q4
Security: http://vuxml.org/freebsd/7ae61870-9dd2-4884-a2f2-f19bb5784d09.html
- Update Firefox ESR to 31.2.0
- Update NSS to 3.17.2
- Update Thunderbird to 31.2.0
- Update libxul to 31.2.0 (and mark as BROKEN)
- Disable SSL 3.0 with pref (Upstream bug 1076983)
- (workaround) replace USE_GCC=yes with USES=compiler:gcc-c++11-lib in
order to fix runtime for PGO and powerpc/powerpc64 on libc++ systems
- Add OSS audio fallback for HTML5 audio from upstream bug;
not exposed yet because WebRTC still needs ALSA or PulseAudio
- Kill @dirrm from gecko@ ports per CHANGES from 20140922
- Drop workaround for LLVM PR 19007: base and lang/clang34 have the fix
- Improve workaround comment for LLVM PR 15840, partially rejecting
r348851 by marino@ until bug 193555
PR: 194356
Submitted by: Jan Beich
Security: http://www.vuxml.org/freebsd/9c1495ac-8d8c-4789-a0f3-8ca6b476619c.html
- Update nspr to 4.10.7
- Update ca_root_nss to 3.17 (mark as NO_ARCH while here)
- Update firefox to 32.0
- Update thunderbird to 31.1.0
- Add net-im/linux-instantbird
- Update firefox-est to 31.1.0
- Update libxul to 24.8.0
- Update seamonkey to 2.29
Submitted by: Jan Beich for gecko@
- Update Firefox ESR to 24.6.0
- Update libxul to 24.6.0
- Update NSS to 3.16.1
- Update NSPR to 4.10.6
- Update Thunderbird to 24.6.0
- Convert USE_BZIP2 to USES
- Backport ff31 fix against crashing DEBUG build on newegg.com [1]
- Add a note in UPDATING to not build audio/soundtouch with
INTEGER_SAMPLES [2]
- Use arc4random_buf(3) to generate UUIDs (version 4)
- Fix debugger detection used by Telemetry and the slow script dialog
- Add STAGE support [3]
PR: ports/189991 [1]
PR: ports/189217 [2]
PR: ports/189488 [2]
Submitted by: bapt [3]
Sumbitted by: Jan Beich
Security: http://www.vuxml.org/freebsd/888a0262-f0d9-11e3-ba0c-b4b52fce4ce8.html
Since FreeBSD 8.4 and FreeBSD 9.1 make(1) do support :tu and :tl as a
replacement for :U and :L (which has been marked as deprecated)
bmake which is the default on FreeBSD 10+ only support by default
:tu/:tl a hack has been added at the time to support :U and :L to ease
migration. This hack is now not necessary anymore
Note that this makes the ports tree incompatible with make(1) from
FreeBSD 8.3 or earlier
With hat: portmgr
- Update Firefox ESR to 24.5.0
- Update Thunderbird to 24.5.0
- Update NSS to 3.16
- Use port dependency for soundtouch library
- Require recent graphite2 version explicitly [1]
- Require gst-libav version that doesn't crash on seeking [2]
and doesn't error out on plugin load [3]
- Remove gstreamer note in pkg-message for www/firefox, [3] may still
happen with www/firefox-esr but only until it tracks esr31 (ca 2014-09-01)
- Fix USE_XPI in mail/thunderbird-i18n [4]
Security: http://www.vuxml.org/freebsd/985d4d6c-cfbd-11e3-a003-b4b52fce4ce8.html
PR: ports/187939 [1]
PR: ports/188133 [2]
PR: ports/181964 [3]
PR: ports/188984 [4]
Submitted by: Toomas Aas <toomas.aas@raad.tartu.ee> [1]
Submitted by: Jakub Lach <jakub_lach@mailplus.pl> [2]
Submitted by: Jan Beich [3] and this update!
Submitted by: Toni Ballesta <mustelator@yahoo.es> [4]
Approved by: portmgr (bdrewery, security update to non-staged port)
