Date: Thu, 3 Jul 2014 07:22:58 -0700 From: Paul Hoffman <paul.hoffman@vpnc.org> To: d@delphij.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <0C0E9D45-1E4E-4672-A19D-83D9E4A094D0@vpnc.org> In-Reply-To: <53B499B1.4090003@delphij.net> References: <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Jul 2, 2014, at 4:45 PM, Xin Li <delphij@delphij.net> wrote:
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves. We do, however, provide a
> port, security/ca_root_nss, which have an option to install a symbolic
> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
> which is not the default option.
>=20
> This become a problem when applications, e.g. fetch(8), have grown the
> support of doing certificate validation. I think now it makes sense
> to have a default cert.pem installed with the base system.
>=20
> So my proposal would be:
>=20
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>=20
> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>=20
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>=20
> 4. Change the install/deinstall behavior of security/ca_root_nss:
> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.
>=20
> Comments/objections?
It seems like a good plan. As long as people who have a different trust =
list than Mozilla can easily implement their own trust plan, it's fine, =
and this brings a lot of ease-of-use to the ports, particularly to =
common ones like wget.
--Paul Hoffman
--Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJTtWdGAAoJEJz/fXByZmLZFQ0IAK4+FHvjCfb9UhkgpRHEwmGC
U+098qOaEG0A6OHEjmzBRzaNQhV/zdQPyN2eTeJendbfir547ctzFlqsoFWXRi3i
O9JsmMaXU+lJLy0lKoZABn8sVqUFVekq47BKhti4VOjH5VCnZcR+m/xxapA5Jq//
6iZjz1hOlkBWo6MV4QfWQv5BmDA4afSD83GJcd7lI3ie2rErzBVhXy3CyecZgoEx
ulO2EiqepKwkx2bEOxvxbFIOLdNUN6tQ5JXOnmuB2Eh43p5jXY1cDjpxCL5RFh4E
vIBjqVzB7zUatOB1NedG0M8KiPwATB8XrkoJxorCLGVsuG3NUyNfKKP7g8nbcoI=
=LYck
-----END PGP SIGNATURE-----
--Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0C0E9D45-1E4E-4672-A19D-83D9E4A094D0>