From owner-freebsd-gecko@FreeBSD.ORG Thu Oct 2 16:03:22 2014 Return-Path: Delivered-To: gecko@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EBBA8CDD for ; Thu, 2 Oct 2014 16:03:22 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB7CA8F2 for ; Thu, 2 Oct 2014 16:03:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s92G3MuB074807 for ; Thu, 2 Oct 2014 16:03:22 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s92G3LbF074800 for gecko@FreeBSD.org; Thu, 2 Oct 2014 16:03:21 GMT (envelope-from bdrewery) Received: (qmail 25693 invoked from network); 2 Oct 2014 11:03:20 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 2 Oct 2014 11:03:20 -0500 Message-ID: <542D7740.6030901@FreeBSD.org> Date: Thu, 02 Oct 2014 11:03:12 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jung-uk Kim Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <542C6B0A.9060503@FreeBSD.org> <542D5254.2050508@vangyzen.net> In-Reply-To: <542D5254.2050508@vangyzen.net> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02" Cc: Ben Laurie , freebsd-security@FreeBSD.ORG, Dirk Meyer , d@delphij.net, gecko@FreeBSD.org X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 16:03:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/2/2014 8:25 AM, Eric van Gyzen wrote: > On 10/01/2014 16:58, Bryan Drewery wrote: >> On 7/2/2014 8:55 PM, Bryan Drewery wrote: >>> On 7/2/2014 6:45 PM, Xin Li wrote: >>>> Hi, >>>> >>>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem >>>> because we do not maintain one ourselves. We do, however, provide a= >>>> port, security/ca_root_nss, which have an option to install a symbol= ic >>>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,= >>>> which is not the default option. >>>> >>>> This become a problem when applications, e.g. fetch(8), have grown t= he >>>> support of doing certificate validation. I think now it makes sense= >>>> to have a default cert.pem installed with the base system. >>>> >>>> So my proposal would be: >>>> >>>> 1. Import a set of trusted root certificates, and install if >>>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >>>> >>>> 2. In src/etc/Makefile, automatically create a symbolic link if it's= >>>> not already present in ${DESTDIR}/etc/ssl; >>>> >>>> 3. Teach mergemaster(8) and other similar applications to create the= >>>> symbolic link on demand; >>>> >>>> 4. Change the install/deinstall behavior of security/ca_root_nss: >>>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on >>>> install then overwrite with new symlink, and restore on deinstall. >>>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, >>>> install new a symlink; on deinstall, if >>>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with= a >>>> symlink to there, or remove if the file does not exist. >>>> >>>> Comments/objections? >>>> >>>> Cheers, >>> Please see r266291. >>> >>> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. >>> >>> The next step was to have the port always install the symlink there. >>> It's fallen through the cracks though. >>> >>> This only allows fixing applications that use libfetch though and not= >>> other applications that expect a /etc/ssl/cert.pem like curl. >> This seems to have been dropped. We do need some sort of solution thou= gh. >> >> I've found that curl already does the right thing and looking at the >> proper /usr/local location for the ca_root_nss bundle due to being >> configured in the curl port to do so. >> >> The remaining piece IMHO would be fixing base openssl to look for >> /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port current= ly >> looks in /usr/local/openssl by default and not /etc/ssl. >> >> Here is a patch for the port to check /usr/local/etc/ssl first: >> >> https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-p= em.diff >> >> And a patch for base libcrypto to check /usr/local/etc/ssl first: >> >> https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-p= em.diff >=20 > This is a good idea, and the patches look fine to me. >=20 >> These allow things like wget to work by default once ca_root_nss is >> installed with the /usr/local/etc/ssl/cert.pem symlink. >> >> As for installing a CA root bundle by default, we could just bootstrap= >> it along with pkg from ca_root_nss. My main question is about the proper way to modify the base libssl for style/impact such that it does not lose the change on imports. --=20 Regards, Bryan Drewery --0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJULXdBAAoJEDXXcbtuRpfP5QQIAMOhZvXqPW+peOhxMX9TnIPL JCOOPh+bEqpDXApbGUkwMEoWrfTgz5kb/YQ75ljUiw1fCyWf1em/VckPJcg9CPaL xTq03DMYm0w7OjFrmZXf4MQ8cJCtujmKLwhFBAF2TggjUHRXeEFXU9nK70NA1WSZ 9LzmR3lG1mCnTTq06plHFOciz0tTCIfkQ5LA7SBvntralDaY7F5jOkfCZSaO54dy tl4gYvYXGZJW55Noek720pzdMryBH8kdK9A3hCK5BzQzL0ivRc5nHZI0shk41bQ8 81u1m4X614zxpFS5XVIuutOxZ3CjuI3qc5mtiMGF0WmDYJDQLBioRotmZF4E/dk= =i4bU -----END PGP SIGNATURE----- --0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02--