Date: Thu, 02 Oct 2014 11:03:12 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Jung-uk Kim <jkim@freebsd.org> Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@FreeBSD.ORG, Dirk Meyer <dinoex@FreeBSD.org>, d@delphij.net, gecko@FreeBSD.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <542D7740.6030901@FreeBSD.org> In-Reply-To: <542D5254.2050508@vangyzen.net> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <542C6B0A.9060503@FreeBSD.org> <542D5254.2050508@vangyzen.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 10/2/2014 8:25 AM, Eric van Gyzen wrote:
> On 10/01/2014 16:58, Bryan Drewery wrote:
>> On 7/2/2014 8:55 PM, Bryan Drewery wrote:
>>> On 7/2/2014 6:45 PM, Xin Li wrote:
>>>> Hi,
>>>>
>>>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
>>>> because we do not maintain one ourselves. We do, however, provide a=
>>>> port, security/ca_root_nss, which have an option to install a symbol=
ic
>>>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,=
>>>> which is not the default option.
>>>>
>>>> This become a problem when applications, e.g. fetch(8), have grown t=
he
>>>> support of doing certificate validation. I think now it makes sense=
>>>> to have a default cert.pem installed with the base system.
>>>>
>>>> So my proposal would be:
>>>>
>>>> 1. Import a set of trusted root certificates, and install if
>>>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>>>>
>>>> 2. In src/etc/Makefile, automatically create a symbolic link if it's=
>>>> not already present in ${DESTDIR}/etc/ssl;
>>>>
>>>> 3. Teach mergemaster(8) and other similar applications to create the=
>>>> symbolic link on demand;
>>>>
>>>> 4. Change the install/deinstall behavior of security/ca_root_nss:
>>>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
>>>> install then overwrite with new symlink, and restore on deinstall.
>>>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
>>>> install new a symlink; on deinstall, if
>>>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with=
a
>>>> symlink to there, or remove if the file does not exist.
>>>>
>>>> Comments/objections?
>>>>
>>>> Cheers,
>>> Please see r266291.
>>>
>>> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.
>>>
>>> The next step was to have the port always install the symlink there.
>>> It's fallen through the cracks though.
>>>
>>> This only allows fixing applications that use libfetch though and not=
>>> other applications that expect a /etc/ssl/cert.pem like curl.
>> This seems to have been dropped. We do need some sort of solution thou=
gh.
>>
>> I've found that curl already does the right thing and looking at the
>> proper /usr/local location for the ca_root_nss bundle due to being
>> configured in the curl port to do so.
>>
>> The remaining piece IMHO would be fixing base openssl to look for
>> /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port current=
ly
>> looks in /usr/local/openssl by default and not /etc/ssl.
>>
>> Here is a patch for the port to check /usr/local/etc/ssl first:
>>
>> https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-p=
em.diff
>>
>> And a patch for base libcrypto to check /usr/local/etc/ssl first:
>>
>> https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-p=
em.diff
>=20
> This is a good idea, and the patches look fine to me.
>=20
>> These allow things like wget to work by default once ca_root_nss is
>> installed with the /usr/local/etc/ssl/cert.pem symlink.
>>
>> As for installing a CA root bundle by default, we could just bootstrap=
>> it along with pkg from ca_root_nss.
My main question is about the proper way to modify the base libssl for
style/impact such that it does not lose the change on imports.
--=20
Regards,
Bryan Drewery
--0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iQEcBAEBAgAGBQJULXdBAAoJEDXXcbtuRpfP5QQIAMOhZvXqPW+peOhxMX9TnIPL
JCOOPh+bEqpDXApbGUkwMEoWrfTgz5kb/YQ75ljUiw1fCyWf1em/VckPJcg9CPaL
xTq03DMYm0w7OjFrmZXf4MQ8cJCtujmKLwhFBAF2TggjUHRXeEFXU9nK70NA1WSZ
9LzmR3lG1mCnTTq06plHFOciz0tTCIfkQ5LA7SBvntralDaY7F5jOkfCZSaO54dy
tl4gYvYXGZJW55Noek720pzdMryBH8kdK9A3hCK5BzQzL0ivRc5nHZI0shk41bQ8
81u1m4X614zxpFS5XVIuutOxZ3CjuI3qc5mtiMGF0WmDYJDQLBioRotmZF4E/dk=
=i4bU
-----END PGP SIGNATURE-----
--0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542D7740.6030901>