Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Oct 2014 21:21:16 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        d@delphij.net
Cc:        Ben Laurie <benl@freebsd.org>, freebsd-security@FreeBSD.ORG, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>, gecko@FreeBSD.org
Subject:   Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Message-ID:  <86bnp07y6r.fsf@nine.des.no>
In-Reply-To: <53B499B1.4090003@delphij.net> (Xin Li's message of "Wed, 02 Jul 2014 16:45:53 -0700")
References:  <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Reviving this discussion because it was never resolved.

Xin Li <delphij@delphij.net> writes:
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves.  [...]  So my proposal would
> be:
>
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;

At a minimum, we need the certificate chain for all freebsd.org
certificates.

> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>
> 4. Change the install/deinstall behavior of security/ca_root_nss:
>    ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
>    ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.

I would prefer to have each port install their certificate lists in a
"hidden" location which is then added to the search path using c_rehash.
This may require changing libfetch and various applications to pass a
path to SSL_CTX_load_verify_locations() instead of or in addition to a
file.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86bnp07y6r.fsf>