From owner-freebsd-security@FreeBSD.ORG Wed Jul 2 23:45:59 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 95D0D5BD; Wed, 2 Jul 2014 23:45:59 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 708682042; Wed, 2 Jul 2014 23:45:56 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id D6E3B37F7; Wed, 2 Jul 2014 16:45:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1404344755; bh=td34HVQTpld9yu7XXsJbibRmxzAQpcPDtGs9biRRBhk=; h=Date:From:Reply-To:To:CC:Subject; b=WaoGB7bIqhr48K1U3i6SMbrQeW55i2A2knvPqZDcP6jOMQlL+UiKTPqmQ5EM0noRn oqW6X3ceIYL9dwHc0Mp5UhIu6HROvBVVJv77yDpFI5J6Sq0dqPytgxHZO8XuLuRbXi 5bqrBtq7kWr49TL7nryoL6HrSDeFuhu9rOcfKz2g= Message-ID: <53B499B1.4090003@delphij.net> Date: Wed, 02 Jul 2014 16:45:53 -0700 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: RFC: Proposal: Install a /etc/ssl/cert.pem by default? X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , gecko@FreeBSD.org, re , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2014 23:45:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Currently, FreeBSD does not install a default /etc/ssl/cert.pem because we do not maintain one ourselves. We do, however, provide a port, security/ca_root_nss, which have an option to install a symbolic link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, which is not the default option. This become a problem when applications, e.g. fetch(8), have grown the support of doing certificate validation. I think now it makes sense to have a default cert.pem installed with the base system. So my proposal would be: 1. Import a set of trusted root certificates, and install if MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; 2. In src/etc/Makefile, automatically create a symbolic link if it's not already present in ${DESTDIR}/etc/ssl; 3. Teach mergemaster(8) and other similar applications to create the symbolic link on demand; 4. Change the install/deinstall behavior of security/ca_root_nss: ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on install then overwrite with new symlink, and restore on deinstall. ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, install new a symlink; on deinstall, if /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a symlink to there, or remove if the file does not exist. Comments/objections? Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJTtJmxAAoJEJW2GBstM+nsGoQQAJ8Ntso43Lz5YiwVVoar4BsZ 2d5YCv9ODyIVTHQMqz1lOP51NxzgvNPY4Ycdez0CEK8Az4VSSdouQJoBHRp70nCR 1ulMlZ06SXp8EcvPkDHFJC+1CbYu7ezSwgXLndj+7nOtXqr2t12/EccT40+YRNMN zCUTHDWSdiuwNL9TLzDmyEO1oCcgej+zY5rSbVHiUWLQPUPG2ffvaddKCggJoRpp rV/35H7aYNB1LzBpUp0/wisXvNrkXQh4YcH0e2Z7ILwn6GImE8gWex1hi0yndDeW 7wg+0e4HnwrjZrvNCqeggO+7owCYjE4mnb1qexBTrjvkeAKSjTvkiJzrS14S7yO2 Zj2d9S6504M/28i7+QdzANTrqD6yig6HHT5uL6MiSCnaW6G9+mjVB0OljXHCBARg hFtKUxuVJFDANrbs5AmMwA3euLVHUuPtBL/t+yLSoobdVdvTcukftl7i6l86GDlw rVyl57KLSwInAWZLox0+oPXacEwBYk/K0W1VdmbanLO8q2rdNDD5sKJP2I278LjT wYGgjBOWuNfQTAKK13NMrat8DyvMM6lj5fhKkTDrKU6gEwoDeWsOsc5zKF2+lEGU 9nBi0Ll8jaQ3DBlOJcYa6VZMrgBe6dMRxhus0fVQYX8VKpezTwGGWh7Mdb+AJJxx DN4UDkFEYreAP4szDYHC =zwfk -----END PGP SIGNATURE-----