security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers

Since 2.7.9, Python verifies SSL certificates by default. Currently,
even with security/ca_root_nss installed, Python fails certificate
verification.

Upon investigation, Python uses OpenSSL's standard
SSL_CTX_load_verify_locations function to load a list of CA root
certificates.

Support was added to ca_root_nss for "out of the box" certificate
verification for a number of base utilities in r372629 [1], but this
did not include support for software that uses OpenSSL's
SSL_CTX_load_verify_locations function.

[1] https://svnweb.freebsd.org/changeset/ports/372629

OpenSSL defaults (at compile time) to the following paths and filenames
for certificate and CAFile lookup:

Base:
  SSL_CERT_DIR=/etc/ssl/certs
  SSL_CERT_FILE/etc/ssl/cert.pem

Ports:
  SSL_CERT_DIR=/usr/local/openssl/certs
  SSL_CERT_FILE=/usr/local/openssl/cert.pem

This change installs a symlink which points to the root certificate
bundle in the location that OpenSSL from ports looks for them.

This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.

Additionally, display a pkg-message to the user about the lack of
warranty associated with these certificates.

Note: This is *NOT* related to solving for SSL certificate verification
for OpenSSL in Base, which is covered in bug 189811.

While I'm here:

- Add LICENSE
- Use options helpers and OPTIONS_SUB
- Fix typo in !!! message !!!

PR: 196431
Submitted by:	koobs
Reviewed by:	jbeich
Approved by:	maintainer timeout (1 month)

security/ca_root_nss/Makefile

@@ -2,15 +2,21 @@
 
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
 
 MAINTAINER=	gecko@FreeBSD.org
-COMMENT=	The root certificate bundle from the Mozilla Project
+COMMENT=	Root certificate bundle from the Mozilla Project
+
+LICENSE=	MPL
+
+OPTIONS_DEFINE=		ETCSYMLINK
+OPTIONS_SUB=		yes
 
-OPTIONS_DEFINE=	ETCSYMLINK
 ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
+ETCSYMLINK_CONFLICTS=	ca-roots-[0-9]*
 
 USES=		perl5
 USE_PERL5=	build
@@ -21,7 +27,7 @@ CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}
 
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-# !!!  These versions are indented to track security/nss.        !!!
+# !!!  These versions are intended to track security/nss.        !!!
 # !!!  Please DO NOT submit patches for new version until it has !!!
 # !!!  been committed there first.                               !!!
 # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@@ -29,18 +35,12 @@ VERSION_NSS=	3.17.4
 #NSS_SUFFIX=	.with.ckbi.1.93
 CERTDATA_TXT_PATH=	nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt
 BUNDLE_PROCESSOR=	MAca-bundle.pl
-SUB_FILES=	MAca-bundle.pl
+
+SUB_FILES=	MAca-bundle.pl pkg-message
 SUB_LIST=	VERSION_NSS=${VERSION_NSS}
 
 .include <bsd.port.options.mk>
 
-.if ${PORT_OPTIONS:METCSYMLINK}
-PLIST_SUB+=	ETCSYMLINK=
-CONFLICTS=	ca-roots-[0-9]*
-.else
-PLIST_SUB+=	ETCSYMLINK="@comment "
-.endif
-
 do-extract:
 	@${MKDIR} ${WRKDIR}
 	@${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \
@@ -63,6 +63,8 @@ post-install:
 	${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
 .endif
 	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
-	${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem
+	${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
+	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
+	${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
 
 .include <bsd.port.mk>

security/ca_root_nss/files/pkg-message.in

@@ -0,0 +1,25 @@
+********************************* WARNING *********************************
+
+FreeBSD does not, and can not warrant that the certificate authorities
+whose certificates are included in this package have in any way been
+audited for trustworthiness or RFC 3647 compliance.
+
+Assessment and verification of trust is the complete responsibility of the
+system administrator.
+
+*********************************** NOTE **********************************
+
+This package installs symlinks to support root certificates discovery by
+default for software that uses OpenSSL.
+
+This enables SSL Certificate Verification by client software without manual
+intervention.
+
+If you prefer to do this manually, replace the following symlinks with
+either an empty file or your site-local certificate bundle.
+
+  * /etc/ssl/cert.pem
+  * %%PREFIX%%/etc/ssl/cert.pem
+  * %%PREFIX%%/openssl/cert.pem
+
+***************************************************************************

security/ca_root_nss/pkg-plist

@@ -1,3 +1,4 @@
 %%CERTDIR%%/ca-root-nss.crt
-etc/ssl/cert.pem
+@sample etc/ssl/cert.pem.sample
+@sample openssl/cert.pem.sample
 %%ETCSYMLINK%%/etc/ssl/cert.pem