From owner-freebsd-security@FreeBSD.ORG Thu Jul 3 03:29:38 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8EFD752D; Thu, 3 Jul 2014 03:29:37 +0000 (UTC) Date: Wed, 2 Jul 2014 23:29:33 -0400 From: Glen Barber To: d@delphij.net Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140703032933.GC1214@hub.FreeBSD.org> References: <53B499B1.4090003@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uXxzq0nDebZQVNAZ" Content-Disposition: inline In-Reply-To: <53B499B1.4090003@delphij.net> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Ben Laurie , freebsd-security@FreeBSD.ORG, re , Jung-uk Kim , gecko@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 03:29:38 -0000 --uXxzq0nDebZQVNAZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 02, 2014 at 04:45:53PM -0700, Xin Li wrote: > Hi, >=20 > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. We do, however, provide a > port, security/ca_root_nss, which have an option to install a symbolic > link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, > which is not the default option. >=20 > This become a problem when applications, e.g. fetch(8), have grown the > support of doing certificate validation. I think now it makes sense > to have a default cert.pem installed with the base system. >=20 > So my proposal would be: >=20 > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >=20 > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; >=20 > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; >=20 > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. >=20 > Comments/objections? >=20 No objection from me, personally, on the re@ side. In the longer term, it would avoid needing to install the security/ca_root_nss port explicitly for a few things for which they will be needed for 10.1 and 11.0 releases. I do not, however, believe this is suitable to target for 9.3-RELEASE. Glen With hat: re@ --uXxzq0nDebZQVNAZ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJTtM4dAAoJELls3eqvi17QlMcP/RrNr/GZ0ujbPzrqaYdOhsln XwvbyH2skfFmVSxxA9VQ8EG0YcAKmRjofiQMmxTuS4aM+IcQ3OayKU78Wwz5RUJM V/mqx9jeICRJuBMjapxGQf2kz9WQWIlf55tw1GfOOQIV83Xu3eN0CK03g6TeZ64f fy6XvJuFsmdNNXEM5m384KMgaQXY+0iFoP6jJyOLs+y+Oodl+UCz4FwjITDFuIRK 0NGP/OHKxJy6pRi0OPo7tLJX82/bn9giqUUUKcCI97o6x0Y+s3AJiMTSdkDofl6N TTLMp/mI2jmSfrrA5dwSr1mfEn6zehu4pymT7xS1StqfN4Z92izNnsP3do+fk2cY +pLSCINyVNcaMrCFGCeG7TCQKa5UE5gtae9WyaLoxw5dLYGtNQ30yy1nLTVxmasi pEsOsNpo4p3J3L5up819QTl6f5OcqshNCUsM9DEQySoxTCxXR+YvsqeB5KRV51G5 2mTsFIlbW+3UR74jSyGyySTGTGupobjvSX/sHp1OABDSwTG8btN5C679jchLArEK Gm1X36PzwfUaXDe26IbHxLbTchM/DWtnks58VveoJmo5imf7jp4HPcJ1evcyOud2 y6AdbS1HAA2cR/5yVMG4AckpR7drP5q9WN3sBjkGgrFqP1VHVEwbdsqa0v/mlJSK hd7xO7x9rA8dO+fK2YX6 =Uuzo -----END PGP SIGNATURE----- --uXxzq0nDebZQVNAZ--