From 5defc0df3dde70964ac891358468bc6197cbde52 Mon Sep 17 00:00:00 2001
From: riastradh <riastradh@NetBSD.org>
Date: Wed, 3 Jan 2024 11:40:38 +0000
Subject: [PATCH] fetch(3): Backport SSL validation from pkgsrc libfetch 2.40.

We should really sync with pkgsrc libfetch to avoid divergence, but
this is a low-risk, high-priority change for NetBSD 10:

https://mail-index.netbsd.org/pkgsrc-changes/2024/01/03/msg290052.html
---
 external/bsd/fetch/dist/libfetch/common.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/external/bsd/fetch/dist/libfetch/common.c b/external/bsd/fetch/dist/libfetch/common.c
index 2a024f30dce7..b739555446ee 100644
--- a/external/bsd/fetch/dist/libfetch/common.c
+++ b/external/bsd/fetch/dist/libfetch/common.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: common.c,v 1.5 2023/12/29 00:55:46 christos Exp $	*/
+/*	$NetBSD: common.c,v 1.6 2024/01/03 11:40:38 riastradh Exp $	*/
 /*-
  * Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
  * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg@NetBSD.org>
@@ -452,6 +452,10 @@ fetch_ssl(conn_t *conn, int verbose)
 	conn->ssl_meth = SSLv23_client_method();
 	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
 	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
+	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
+		SSL_CTX_set_default_verify_paths(conn->ssl_ctx);
+		SSL_CTX_set_verify(conn->ssl_ctx, SSL_VERIFY_PEER, NULL);
+	}
 
 	conn->ssl = SSL_new(conn->ssl_ctx);
 	if (conn->ssl == NULL){