Date: Wed, 2 Jul 2014 23:29:33 -0400 From: Glen Barber <gjb@FreeBSD.org> To: d@delphij.net Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@FreeBSD.ORG, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>, gecko@FreeBSD.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140703032933.GC1214@hub.FreeBSD.org> In-Reply-To: <53B499B1.4090003@delphij.net> References: <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--uXxzq0nDebZQVNAZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jul 02, 2014 at 04:45:53PM -0700, Xin Li wrote:
> Hi,
>=20
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves. We do, however, provide a
> port, security/ca_root_nss, which have an option to install a symbolic
> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
> which is not the default option.
>=20
> This become a problem when applications, e.g. fetch(8), have grown the
> support of doing certificate validation. I think now it makes sense
> to have a default cert.pem installed with the base system.
>=20
> So my proposal would be:
>=20
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>=20
> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>=20
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>=20
> 4. Change the install/deinstall behavior of security/ca_root_nss:
> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.
>=20
> Comments/objections?
>=20
No objection from me, personally, on the re@ side. In the longer term,
it would avoid needing to install the security/ca_root_nss port
explicitly for a few things for which they will be needed for 10.1 and
11.0 releases.
I do not, however, believe this is suitable to target for 9.3-RELEASE.
Glen
With hat: re@
--uXxzq0nDebZQVNAZ
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJTtM4dAAoJELls3eqvi17QlMcP/RrNr/GZ0ujbPzrqaYdOhsln
XwvbyH2skfFmVSxxA9VQ8EG0YcAKmRjofiQMmxTuS4aM+IcQ3OayKU78Wwz5RUJM
V/mqx9jeICRJuBMjapxGQf2kz9WQWIlf55tw1GfOOQIV83Xu3eN0CK03g6TeZ64f
fy6XvJuFsmdNNXEM5m384KMgaQXY+0iFoP6jJyOLs+y+Oodl+UCz4FwjITDFuIRK
0NGP/OHKxJy6pRi0OPo7tLJX82/bn9giqUUUKcCI97o6x0Y+s3AJiMTSdkDofl6N
TTLMp/mI2jmSfrrA5dwSr1mfEn6zehu4pymT7xS1StqfN4Z92izNnsP3do+fk2cY
+pLSCINyVNcaMrCFGCeG7TCQKa5UE5gtae9WyaLoxw5dLYGtNQ30yy1nLTVxmasi
pEsOsNpo4p3J3L5up819QTl6f5OcqshNCUsM9DEQySoxTCxXR+YvsqeB5KRV51G5
2mTsFIlbW+3UR74jSyGyySTGTGupobjvSX/sHp1OABDSwTG8btN5C679jchLArEK
Gm1X36PzwfUaXDe26IbHxLbTchM/DWtnks58VveoJmo5imf7jp4HPcJ1evcyOud2
y6AdbS1HAA2cR/5yVMG4AckpR7drP5q9WN3sBjkGgrFqP1VHVEwbdsqa0v/mlJSK
hd7xO7x9rA8dO+fK2YX6
=Uuzo
-----END PGP SIGNATURE-----
--uXxzq0nDebZQVNAZ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140703032933.GC1214>