Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 31 Jan 2013 19:40:01 GMT
From:      Jan Beich <jbeich@tormail.org>
To:        gecko@FreeBSD.org
Subject:   Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates
Message-ID:  <201301311940.r0VJe1mx000844@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/160387; it has been noted by GNATS.

From: Jan Beich <jbeich@tormail.org>
To: Romain Tartiere <romain@FreeBSD.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates
Date: Fri, 01 Feb 2013 00:30:34 +0500

 Romain Tartiere <romain@FreeBSD.org> writes:
 
 > 1. Have some domain protected by some self-made certificate or e.g. cacert
 > 2. Install security/ca_root_nss and ftp/curl
 > 3. curl https://some.domain.example.com/
 >   ** fails **
 > 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt
 > 5. curl https://some.domain.example.com/
 >   ** success **
 
 This mostly depends on the app e.g.,
 
 - openssl(1) only uses CA certs with -CApath or -CAfile
 - subversion (neon), lynx, etc. call SSL_CTX_set_default_verify_paths()
 - curl (openssl) hardcodes either /etc/ssl/certs/ or
   ${LOCALBASE}/share/certs/ca-root-nss.crt (CA_BUNDLE option)
 - curl (gnutls) hardcodes /etc/ssl/cert.pem
 - epiphany2 (gnutls?) accepts self-signed certificates without
   warning but otherwise hardcodes path to ca-root-nss.crt
 - firefox and chromium use hardcode CA certs into libnssckbi.so from a
   bundled copy of certdata.txt in nss port (not ca_root_nss)
 
 and a bit more detailed
 
   # add a shared self-signed certificate
   $ mkdir /etc/ssl/certs; cd /etc/ssl/certs
   $ openssl s_client -connect trillian.chruetertee.ch:https </dev/null 2>&0 |
     sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
     openssl x509 -text -fingerprint >freebsd-gecko.crt
   $ ln -sf freebsd-gecko.crt $(openssl x509 -hash -noout -in freebsd-gecko.crt).0
 
   $ openssl s_client -connect trillian.chruetertee.ch:https -CApath /var/empty
   ...
         Verify return code: 0 (ok)
   
   $ curl https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
   <?xml version="1.0"?>
   ...
 
   $ HOME=/var/empty svn ls https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
   Gecko_ChangeLog
   Gecko_TODO
   Mk/
   devel/
   mail/
   security/
   www/
 
 It may be worth to look at how other distros tried to solve the mess.
 
 https://fedoraproject.org/wiki/FedoraCryptoConsolidation
 http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_system



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301311940.r0VJe1mx000844>