Date: Thu, 02 Oct 2014 09:25:40 -0400 From: Eric van Gyzen <eric@vangyzen.net> To: Bryan Drewery <bdrewery@FreeBSD.org>, d@delphij.net, freebsd-security@FreeBSD.ORG, Jung-uk Kim <jkim@freebsd.org> Cc: Ben Laurie <benl@freebsd.org>, gecko@FreeBSD.org, Dirk Meyer <dinoex@FreeBSD.org>, re <re@freebsd.org>, FreeBSD Ports Management Team <portmgr@FreeBSD.org> Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <542D5254.2050508@vangyzen.net> In-Reply-To: <542C6B0A.9060503@FreeBSD.org> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <542C6B0A.9060503@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/01/2014 16:58, Bryan Drewery wrote:
> On 7/2/2014 8:55 PM, Bryan Drewery wrote:
>> On 7/2/2014 6:45 PM, Xin Li wrote:
>>> Hi,
>>>
>>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
>>> because we do not maintain one ourselves. We do, however, provide a
>>> port, security/ca_root_nss, which have an option to install a symbolic
>>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
>>> which is not the default option.
>>>
>>> This become a problem when applications, e.g. fetch(8), have grown the
>>> support of doing certificate validation. I think now it makes sense
>>> to have a default cert.pem installed with the base system.
>>>
>>> So my proposal would be:
>>>
>>> 1. Import a set of trusted root certificates, and install if
>>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>>>
>>> 2. In src/etc/Makefile, automatically create a symbolic link if it's
>>> not already present in ${DESTDIR}/etc/ssl;
>>>
>>> 3. Teach mergemaster(8) and other similar applications to create the
>>> symbolic link on demand;
>>>
>>> 4. Change the install/deinstall behavior of security/ca_root_nss:
>>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
>>> install then overwrite with new symlink, and restore on deinstall.
>>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
>>> install new a symlink; on deinstall, if
>>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
>>> symlink to there, or remove if the file does not exist.
>>>
>>> Comments/objections?
>>>
>>> Cheers,
>> Please see r266291.
>>
>> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.
>>
>> The next step was to have the port always install the symlink there.
>> It's fallen through the cracks though.
>>
>> This only allows fixing applications that use libfetch though and not
>> other applications that expect a /etc/ssl/cert.pem like curl.
> This seems to have been dropped. We do need some sort of solution though.
>
> I've found that curl already does the right thing and looking at the
> proper /usr/local location for the ca_root_nss bundle due to being
> configured in the curl port to do so.
>
> The remaining piece IMHO would be fixing base openssl to look for
> /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port currently
> looks in /usr/local/openssl by default and not /etc/ssl.
>
> Here is a patch for the port to check /usr/local/etc/ssl first:
>
> https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-pem.diff
>
> And a patch for base libcrypto to check /usr/local/etc/ssl first:
>
> https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-pem.diff
This is a good idea, and the patches look fine to me.
> These allow things like wget to work by default once ca_root_nss is
> installed with the /usr/local/etc/ssl/cert.pem symlink.
>
> As for installing a CA root bundle by default, we could just bootstrap
> it along with pkg from ca_root_nss.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542D5254.2050508>