It turns out that some ports have an undisclosed dependency on the
symlink and cannot be trivially changed to use the system trust
store instead.
Amend the package message to make it clear that software which relies
on this symlink is not following recommended practice.
I will look into getting certctl(8) to provide cert.pem instead, but
it may take a while until we can rely on this being in place on all
supported releases.
This partly reverts commit 483e74f44b.
PR: 274322
MFH: 2023Q4
Reviewed by: fluffy
Differential Revision: https://reviews.freebsd.org/D42120
These 2 files are already handled by @sample.
===> Deinstalling for ca_root_nss
===> Deinstalling ca_root_nss-3.93
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):
Installed packages to be REMOVED:
ca_root_nss: 3.93
Number of packages to be removed: 1
[1/1] Deinstalling ca_root_nss-3.93...
[1/1] Deleting files for ca_root_nss-3.93: 11%
ca_root_nss-3.93: missing file /usr/local/etc/ssl/cert.pem
[1/1] Deleting files for ca_root_nss-3.93: 33%
ca_root_nss-3.93: missing file /usr/local/openssl/cert.pem
[1/1] Deleting files for ca_root_nss-3.93: 100%
Approved by: portmgr (blanket)
Changelog:
Network Security Services (NSS) 3.83 was released on 15 September 2022.
The HG tag is NSS_3_83_RTM. This version of NSS requires NSPR 4.34.1 or
newer.
Changes:
- Bug 1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
- Bug 1563221 - remove older oses that are unused part3/ BeOS
- Bug 1563221 - remove older unix support in NSS part 3 Irix
- Bug 1563221 - remove support for older unix in NSS part 2 DGUX
- Bug 1563221 - remove support for older unix in NSS part 1 OSF
- Bug 1778413 - Set nssckbi version number to 2.58
- Bug 1785297 - Add two SECOM root certificates to NSS
- Bug 1787075 - Add two DigitalSign root certificates to NSS
- Bug 1778412 - Remove Camerfirma Global Chambersign Root from NSS
- Bug 1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
- Bug 1779361 - Removed skipping of ECH on equality of private and
public server name
- Bug 1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
- Bug 1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
- Bug 1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
- Bug 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
- Bug 1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
- Bug 1771100 - Update BoGo tests to recent BoringSSL version
- Bug 1785846 - Bump minimum NSPR version to 4.34.1
NSS 3.83 shared libraries are backwards-compatible with all older NSS
3.x shared libraries. A program linked with older NSS 3.x shared
libraries will work with this new version of the shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.
Sponsored by: Netzkommune GmbH
Changelog:
- Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD.
- Bug 1775359 - make NSS_SecureMemcmp 0/1 valued.
- Bug 1779285: Add no_application_protocol alert handler and test client error code is set.
- Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
NSS 3.81 shared libraries are backwards-compatible with all older NSS
3.x shared libraries. A program linked with older NSS 3.x shared
libraries will work with this new version of the shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.
Sponsored by: Netzkommune GmbH
and support CKA_NSS_SERVER_DISTRUST_AFTER to not include
certificates if the extracted bundle of certificates
is generated later than the expiration date.
This script no longer emits trust certificates for
* EMAIL_PROTECTION
* CODE_SIGNING
because the default certificate bundle in FreeBSD is supposed to
be used for server authentication.
Reported by: Christian Heimes <christian@python.org>
via: Gordon Tetlow
Approved by: ports-secteam (riggs@) (maintainer)
