From owner-freebsd-gecko@FreeBSD.ORG  Sat Oct 25 19:21:27 2014
Return-Path: <owner-freebsd-gecko@FreeBSD.ORG>
Delivered-To: gecko@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 46BD5D7E;
 Sat, 25 Oct 2014 19:21:27 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 07236DB8;
 Sat, 25 Oct 2014 19:21:26 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 26787AB66;
 Sat, 25 Oct 2014 19:21:26 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 35C0810480; Sat, 25 Oct 2014 21:21:16 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: d@delphij.net
Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
References: <53B499B1.4090003@delphij.net>
Date: Sat, 25 Oct 2014 21:21:16 +0200
In-Reply-To: <53B499B1.4090003@delphij.net> (Xin Li's message of "Wed, 02 Jul
 2014 16:45:53 -0700")
Message-ID: <86bnp07y6r.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@FreeBSD.ORG,
 re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>, gecko@FreeBSD.org
X-BeenThere: freebsd-gecko@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Gecko Rendering Engine issues <freebsd-gecko.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gecko/>
List-Post: <mailto:freebsd-gecko@freebsd.org>
List-Help: <mailto:freebsd-gecko-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gecko>,
 <mailto:freebsd-gecko-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 19:21:27 -0000

Reviving this discussion because it was never resolved.

Xin Li <delphij@delphij.net> writes:
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves.  [...]  So my proposal would
> be:
>
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;

At a minimum, we need the certificate chain for all freebsd.org
certificates.

> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>
> 4. Change the install/deinstall behavior of security/ca_root_nss:
>    ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
>    ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.

I would prefer to have each port install their certificate lists in a
"hidden" location which is then added to the search path using c_rehash.
This may require changing libfetch and various applications to pass a
path to SSL_CTX_load_verify_locations() instead of or in addition to a
file.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no