Date: Sat, 25 Oct 2014 21:21:16 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: d@delphij.net Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@FreeBSD.ORG, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>, gecko@FreeBSD.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <86bnp07y6r.fsf@nine.des.no> In-Reply-To: <53B499B1.4090003@delphij.net> (Xin Li's message of "Wed, 02 Jul 2014 16:45:53 -0700") References: <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Reviving this discussion because it was never resolved. Xin Li <delphij@delphij.net> writes: > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. [...] So my proposal would > be: > > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; At a minimum, we need the certificate chain for all freebsd.org certificates. > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; > > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; > > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. I would prefer to have each port install their certificate lists in a "hidden" location which is then added to the search path using c_rehash. This may require changing libfetch and various applications to pass a path to SSL_CTX_load_verify_locations() instead of or in addition to a file. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86bnp07y6r.fsf>