Date: Fri, 4 Mar 2016 18:20:04 +0100 From: Moritz Wilhelmy <mw+freebsd@barfooze.de> To: freebsd-hackers@freebsd.org, freebsd-ports@freebsd.org, freebsd-questions@freebsd.org Subject: Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL) Message-ID: <20160304172003.GD26392@barfooze.de> In-Reply-To: <20160301025156.GC26392@barfooze.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, First off, I've been considering to report this as multiple bugs and it is a tough decision for me because I think there should be more internal discussion about what the project thinks about the official location for CA root certificate storage, so I'm sending this to the lists instead, and hoping I reach the right people. Please excuse any mistakes in this regard, I'm new on the lists. Is there a guideline or official stance regarding where software should look for the CA Root certificate store? If not, I think there should be. Tested on FreeBSD 10.1 with curl 7.47.0 and wget 1.16 with OpenSSL from the base system and no OpenSSL port installed. fetch ===== fetch looks for CA root certificates in /usr/local/etc/ssl/certs, which seems counterintuitive given that it is part of the base system. Command used (for easy copy-pasting): $ truss fetch -o /dev/null https://cacert.org 2>&1 | grep ^open wget ==== ftp/wget only looks at /etc/ssl/certs, which is again counterintuitive given that it's a 3rd party package installed via the ports framework. $ truss wget -O /dev/null https://cacert.org 2>&1 | grep ^open curl ==== curl with the ca-root-nss option only looks at the file installed by that package that contains all NSS root certificates, but it completely ignores the CA certificate storage at /etc/ssl/certs as well as ${LOCALBASE}/etc/ssl/certs, instead it only ever looks at ${LOCALBASE}/share/certs/ca-root-nss.crt, where a sysadmin can't add certificates without their changes being overwritten by subsequent updates to the CA bundle package. (I've confirmed this via truss(1) but curl -v prints this path as well). I haven't tried recompiling curl without the option to see where it would look for root certificates. $ truss curl -o /dev/null https://cacert.org 2>&1 | grep ^open Best regards, Moritz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160304172003.GD26392>