From owner-freebsd-gecko@FreeBSD.ORG Thu Oct 2 13:25:46 2014 Return-Path: Delivered-To: gecko@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4388D2F4; Thu, 2 Oct 2014 13:25:46 +0000 (UTC) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [IPv6:2607:fc50:1000:7400:216:3eff:fe72:314f]) by mx1.freebsd.org (Postfix) with ESMTP id 20637173; Thu, 2 Oct 2014 13:25:42 +0000 (UTC) Received: from marvin.lab.vangyzen.net (c-24-125-214-90.hsd1.va.comcast.net [24.125.214.90]) by smtp.vangyzen.net (Postfix) with ESMTPSA id D0D3856443; Thu, 2 Oct 2014 08:25:41 -0500 (CDT) Message-ID: <542D5254.2050508@vangyzen.net> Date: Thu, 02 Oct 2014 09:25:40 -0400 From: Eric van Gyzen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Bryan Drewery , d@delphij.net, freebsd-security@FreeBSD.ORG, Jung-uk Kim Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <542C6B0A.9060503@FreeBSD.org> In-Reply-To: <542C6B0A.9060503@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , gecko@FreeBSD.org, Dirk Meyer , re , FreeBSD Ports Management Team X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 13:25:46 -0000 On 10/01/2014 16:58, Bryan Drewery wrote: > On 7/2/2014 8:55 PM, Bryan Drewery wrote: >> On 7/2/2014 6:45 PM, Xin Li wrote: >>> Hi, >>> >>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem >>> because we do not maintain one ourselves. We do, however, provide a >>> port, security/ca_root_nss, which have an option to install a symbolic >>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, >>> which is not the default option. >>> >>> This become a problem when applications, e.g. fetch(8), have grown the >>> support of doing certificate validation. I think now it makes sense >>> to have a default cert.pem installed with the base system. >>> >>> So my proposal would be: >>> >>> 1. Import a set of trusted root certificates, and install if >>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >>> >>> 2. In src/etc/Makefile, automatically create a symbolic link if it's >>> not already present in ${DESTDIR}/etc/ssl; >>> >>> 3. Teach mergemaster(8) and other similar applications to create the >>> symbolic link on demand; >>> >>> 4. Change the install/deinstall behavior of security/ca_root_nss: >>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on >>> install then overwrite with new symlink, and restore on deinstall. >>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, >>> install new a symlink; on deinstall, if >>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a >>> symlink to there, or remove if the file does not exist. >>> >>> Comments/objections? >>> >>> Cheers, >> Please see r266291. >> >> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. >> >> The next step was to have the port always install the symlink there. >> It's fallen through the cracks though. >> >> This only allows fixing applications that use libfetch though and not >> other applications that expect a /etc/ssl/cert.pem like curl. > This seems to have been dropped. We do need some sort of solution though. > > I've found that curl already does the right thing and looking at the > proper /usr/local location for the ca_root_nss bundle due to being > configured in the curl port to do so. > > The remaining piece IMHO would be fixing base openssl to look for > /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port currently > looks in /usr/local/openssl by default and not /etc/ssl. > > Here is a patch for the port to check /usr/local/etc/ssl first: > > https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-pem.diff > > And a patch for base libcrypto to check /usr/local/etc/ssl first: > > https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-pem.diff This is a good idea, and the patches look fine to me. > These allow things like wget to work by default once ca_root_nss is > installed with the /usr/local/etc/ssl/cert.pem symlink. > > As for installing a CA root bundle by default, we could just bootstrap > it along with pkg from ca_root_nss.