From owner-freebsd-security@FreeBSD.ORG Thu Jul 3 01:55:17 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC270243 for ; Thu, 3 Jul 2014 01:55:17 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C5F42BC5 for ; Thu, 3 Jul 2014 01:55:17 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s631tHwE041434 for ; Thu, 3 Jul 2014 01:55:17 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s631tHd8041426 for freebsd-security@FreeBSD.ORG; Thu, 3 Jul 2014 01:55:17 GMT (envelope-from bdrewery) Received: (qmail 88354 invoked from network); 2 Jul 2014 20:55:14 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 2 Jul 2014 20:55:14 -0500 Message-ID: <53B4B7FB.6070407@FreeBSD.org> Date: Wed, 02 Jul 2014 20:55:07 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: d@delphij.net, freebsd-security@FreeBSD.ORG Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> In-Reply-To: <53B499B1.4090003@delphij.net> X-Enigmail-Version: 1.6 OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38" X-Mailman-Approved-At: Thu, 03 Jul 2014 01:57:43 +0000 Cc: Ben Laurie , gecko@FreeBSD.org, re , Jung-uk Kim , FreeBSD Ports Management Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 01:55:17 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable +portmgr On 7/2/2014 6:45 PM, Xin Li wrote: > Hi, >=20 > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. We do, however, provide a > port, security/ca_root_nss, which have an option to install a symbolic > link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, > which is not the default option. >=20 > This become a problem when applications, e.g. fetch(8), have grown the > support of doing certificate validation. I think now it makes sense > to have a default cert.pem installed with the base system. >=20 > So my proposal would be: >=20 > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >=20 > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; >=20 > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; >=20 > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. >=20 > Comments/objections? >=20 > Cheers, Please see r266291. libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. The next step was to have the port always install the symlink there. It's fallen through the cracks though. This only allows fixing applications that use libfetch though and not other applications that expect a /etc/ssl/cert.pem like curl. I have no qualms about making security/ca_root_nss *always* install a symlink into /usr/local/etc/ssl, but touching base system is not usually proper for a port. There is this vague idea floating around that for package building, ports should never touch the base system (except /var/db or /var/games or /etc/*passwd*) and / should otherwise be read-only. This has not become a reality or had much discussion yet, though we do frown on overwriting base and touching base already. For example, the perl symlink in /usr/bin is phased out. I like the idea of the base system installing a symlink from /etc/ssl/cert.pem to *somewhere*. I like the idea of secteam maintaining a ca-root-freebsd.pem even better, as long as you are willing to. IMHO always install it, don't depend on MK_OPENSSL. Is the file actually specific to OpenSSL? Ports would love to have it be available all the time regardless of SSL library choices. --=20 Regards, Bryan Drewery --RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTtLf7AAoJEDXXcbtuRpfPjAsIAJKt4BxhLrrlgH5CWwo6rDPb hacMSak86hxnu3xF4xcaAWB5QktrdRI+pvPShDznD5cEXX4MRLbeyCaNUFW9ie+y zt02sZxyuD4KGkHPlkHEUhHBl/YviS7K08h4sW0YnTyjhvfTCz0EzHOvio2Qtmfp C7UInmOhRIa1HHsRdZUmD/4MeT8HsXqWq/5Ep1v40I0/fWNYQUrdClYmwAbCAvUZ iJHljEQ1uyns1mPJWTEk+FHIqretyqmCYPQeHIwLCg6eAn2wjoRELH2TFQyCiE0r 8MIDh9wUVl6FvqfHXO2u8tWYLnRxrhUMobJFpj+Q8m1u2/Jzx4msg1IuEXuEa9E= =9Ckg -----END PGP SIGNATURE----- --RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38--