net/libfetch: update to 2.40
Validate HTTPS by default, unless environment variable SSL_NO_VERIFY_PEER is set (from FreeBSD). WARNING: This changes the semantics of the library in ways that may break the functionality of existing callers, even callers that don't ask to fetch HTTPS URLs -- because HTTP may redirect to HTTPS. WARNING: This does not guarantee fetching HTTPS URLs will return only authenticated data from the named host. If the host redirects to HTTP or FTP, libfetch will follow the redirect and return unauthenticated data with no way for the caller to know this has happened (short of disabling redirects altogether -- including HTTPS-to-HTTPS redirects -- with the undocumented `A' flag). That's OK for pkgsrc distfile fetch, since we have checksums stored in pkgsrc for the distfiles, but makes a simple server misconfiguration a security vulnerability with pkg_add or pkgin (even with signed packages, because there's a lot of attack surface between the transport layer and the package signatures). Discussion on tech-pkg: https://mail-index.netbsd.org/tech-pkg/2023/12/09/msg028590.html https://mail-index.netbsd.org/tech-pkg/2023/12/22/msg028654.html ok gdt (https://mail-index.netbsd.org/tech-pkg/2023/12/31/msg028733.html)
This commit is contained in:
riastradh
parent
8a3666b7f9
commit
5290c01c62
|
|
@ -1,7 +1,6 @@
|
|||
# $NetBSD: Makefile,v 1.64 2023/10/24 22:10:22 wiz Exp $
|
||||
# $NetBSD: Makefile,v 1.65 2024/01/03 03:54:46 riastradh Exp $
|
||||
|
||||
DISTNAME= libfetch-2.39
|
||||
PKGREVISION= 2
|
||||
DISTNAME= libfetch-2.40
|
||||
CATEGORIES= net
|
||||
MASTER_SITES= # empty
|
||||
DISTFILES= # empty
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: common.c,v 1.31 2016/10/20 21:25:57 joerg Exp $ */
|
||||
/* $NetBSD: common.c,v 1.32 2024/01/03 03:54:46 riastradh Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
|
||||
* Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg@NetBSD.org>
|
||||
|
|
@ -451,6 +451,10 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
|
|||
conn->ssl_meth = SSLv23_client_method();
|
||||
conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
|
||||
SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
|
||||
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
|
||||
SSL_CTX_set_default_verify_paths(conn->ssl_ctx);
|
||||
SSL_CTX_set_verify(conn->ssl_ctx, SSL_VERIFY_PEER, NULL);
|
||||
}
|
||||
|
||||
conn->ssl = SSL_new(conn->ssl_ctx);
|
||||
if (conn->ssl == NULL){
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@
|
|||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD: fetch.3,v 1.64 2007/12/18 11:03:26 des Exp $
|
||||
.\" $NetBSD: fetch.3,v 1.17 2016/05/31 18:02:36 abhinav Exp $
|
||||
.\" $NetBSD: fetch.3,v 1.18 2024/01/03 03:54:46 riastradh Exp $
|
||||
.\"
|
||||
.Dd January 22, 2010
|
||||
.Dd December 22, 2023
|
||||
.Dt FETCH 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -638,6 +638,10 @@ which proxies should not be used.
|
|||
Same as
|
||||
.Ev NO_PROXY ,
|
||||
for compatibility.
|
||||
.It Ev SSL_NO_VERIFY_PEER
|
||||
If defined,
|
||||
.Nm
|
||||
will skip validating certificates when fetching HTTPS URLs.
|
||||
.El
|
||||
.Sh EXAMPLES
|
||||
To access a proxy server on
|
||||
|
|
|
|||
Loading…
Reference in New Issue