Date: Fri, 2 Sep 2011 11:56:10 +0200 (CEST) From: Romain Tartiere <romain@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates Message-ID: <20110902095610.E06781CC6B@marvin.blogreen.org> Resent-Message-ID: <201109021000.p82A0OlG001620@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 160387 >Category: ports >Synopsis: security/ca_root_nss: Allow user to trust extra local certificates >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Sep 02 10:00:24 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Romain Tartiere >Release: FreeBSD 8.2-STABLE amd64 >Organization: >Environment: System: FreeBSD marvin.blogreen.org 8.2-STABLE FreeBSD 8.2-STABLE #7 r222417: Sat May 28 13:23:35 CEST 2011 root@marvin.blogreen.org:/usr/obj/usr/src/sys/MARVIN amd64 >Description: When building packages for multiple FreeBSD boxes that will access internal resources using self-made certificates / other organisations certificates, it would be handy to add these certificates to the generated file. This way, it is directly possible to use many programs (e.g. epiphany, curl) without first editing this file by hand (or with some tools such as puppet). Beyond the benefit of not having to tweak this file manually, 'pkg_info -g' would not complain about mismatching files checksum unless something bad happened. >How-To-Repeat: 1. Have some domain protected by some self-made certificate or e.g. cacert 2. Install security/ca_root_nss and ftp/curl 3. curl https://some.domain.example.com/ ** fails ** 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt 5. curl https://some.domain.example.com/ ** success ** >Fix: If the certificates are available at compile time, adding a feature to 'register' them along with the others is somewhat trivial: --- ca_root_nss.patch begins here --- --- Makefile.orig 2011-09-02 10:17:54.489639211 +0200 +++ Makefile 2011-09-02 10:22:48.659844571 +0200 @@ -69,6 +69,9 @@ do-build: @${PERL} ${WRKDIR}/ca-bundle.pl < ${WRKDIR}/certdata.txt > \ ${WRKDIR}/ca-root-nss.crt +.if defined(CA_ROOT_NSS_EXTRA_CERTS) + @${CAT} ${CA_ROOT_NSS_EXTRA_CERTS} >> ${WRKDIR}/ca-root-nss.crt +.endif do-install: ${MKDIR} ${PREFIX}/${CERTDIR} --- ca_root_nss.patch ends here --- I don't think "regular" users would use that feature so maybe presenting an OPTION is overkill. But maybe a message saying to 'set CA_ROOT_NSS_EXTRA_CERTS to the list of local certificates to trust' just before the build may be a plus. What is your opinion about such a feature? Thanks! >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110902095610.E06781CC6B>