From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Sep 2 10:00:27 2011 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11609106567C for ; Fri, 2 Sep 2011 10:00:27 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BFF868FC14 for ; Fri, 2 Sep 2011 10:00:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p82A0O0C001623 for ; Fri, 2 Sep 2011 10:00:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p82A0OlG001620; Fri, 2 Sep 2011 10:00:24 GMT (envelope-from gnats) Resent-Date: Fri, 2 Sep 2011 10:00:24 GMT Resent-Message-Id: <201109021000.p82A0OlG001620@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Romain Tartiere Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 171DF1065672 for ; Fri, 2 Sep 2011 09:56:12 +0000 (UTC) (envelope-from romain@blogreen.org) Received: from marvin.blogreen.org (smortex-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:7c2::2]) by mx1.freebsd.org (Postfix) with ESMTP id C8D028FC14 for ; Fri, 2 Sep 2011 09:56:11 +0000 (UTC) Received: by marvin.blogreen.org (Postfix, from userid 1001) id E06781CC6B; Fri, 2 Sep 2011 11:56:10 +0200 (CEST) Message-Id: <20110902095610.E06781CC6B@marvin.blogreen.org> Date: Fri, 2 Sep 2011 11:56:10 +0200 (CEST) From: Romain Tartiere To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Romain Tartiere List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2011 10:00:27 -0000 >Number: 160387 >Category: ports >Synopsis: security/ca_root_nss: Allow user to trust extra local certificates >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Sep 02 10:00:24 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Romain Tartiere >Release: FreeBSD 8.2-STABLE amd64 >Organization: >Environment: System: FreeBSD marvin.blogreen.org 8.2-STABLE FreeBSD 8.2-STABLE #7 r222417: Sat May 28 13:23:35 CEST 2011 root@marvin.blogreen.org:/usr/obj/usr/src/sys/MARVIN amd64 >Description: When building packages for multiple FreeBSD boxes that will access internal resources using self-made certificates / other organisations certificates, it would be handy to add these certificates to the generated file. This way, it is directly possible to use many programs (e.g. epiphany, curl) without first editing this file by hand (or with some tools such as puppet). Beyond the benefit of not having to tweak this file manually, 'pkg_info -g' would not complain about mismatching files checksum unless something bad happened. >How-To-Repeat: 1. Have some domain protected by some self-made certificate or e.g. cacert 2. Install security/ca_root_nss and ftp/curl 3. curl https://some.domain.example.com/ ** fails ** 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt 5. curl https://some.domain.example.com/ ** success ** >Fix: If the certificates are available at compile time, adding a feature to 'register' them along with the others is somewhat trivial: --- ca_root_nss.patch begins here --- --- Makefile.orig 2011-09-02 10:17:54.489639211 +0200 +++ Makefile 2011-09-02 10:22:48.659844571 +0200 @@ -69,6 +69,9 @@ do-build: @${PERL} ${WRKDIR}/ca-bundle.pl < ${WRKDIR}/certdata.txt > \ ${WRKDIR}/ca-root-nss.crt +.if defined(CA_ROOT_NSS_EXTRA_CERTS) + @${CAT} ${CA_ROOT_NSS_EXTRA_CERTS} >> ${WRKDIR}/ca-root-nss.crt +.endif do-install: ${MKDIR} ${PREFIX}/${CERTDIR} --- ca_root_nss.patch ends here --- I don't think "regular" users would use that feature so maybe presenting an OPTION is overkill. But maybe a message saying to 'set CA_ROOT_NSS_EXTRA_CERTS to the list of local certificates to trust' just before the build may be a plus. What is your opinion about such a feature? Thanks! >Release-Note: >Audit-Trail: >Unformatted: