From owner-freebsd-questions@freebsd.org  Fri Feb 12 22:35:35 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EDC1E5339D3
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 12 Feb 2021 22:35:35 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 4DcpHC15cWz4XKT
 for <freebsd-questions@freebsd.org>; Fri, 12 Feb 2021 22:35:35 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 25A095339D2; Fri, 12 Feb 2021 22:35:35 +0000 (UTC)
Delivered-To: questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2564253396E
 for <questions@mailman.nyi.freebsd.org>; Fri, 12 Feb 2021 22:35:35 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client CN "prime.gushi.org",
 Issuer "RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DcpHB711bz4XJg;
 Fri, 12 Feb 2021 22:35:34 +0000 (UTC)
 (envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (localhost [127.0.0.1])
 by prime.gushi.org (8.16.1/8.16.1) with ESMTPS id 11CMZK3x045110
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 12 Feb 2021 14:35:21 -0800 (PST)
 (envelope-from danm@prime.gushi.org)
DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 11CMZK3x045110
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
 s=prime2014; t=1613169322;
 bh=0nVxQBVx5Gcr+GS+L0se38siEr28GmT/jqwjHy/+mJk=;
 h=Date:From:To:cc:Subject:In-Reply-To:References;
 z=Date:=20Fri,=2012=20Feb=202021=2014:35:20=20-0800=20(PST)|From:=2
 0"Dan=20Mahoney=20(Gushi)"=20<danm@prime.gushi.org>|To:=20Kyle=20E
 vans=20<kevans@freebsd.org>|cc:=20"Dan=20Mahoney=20(Gushi)"=20<fre
 ebsd@gushi.org>,=20questions@freebsd.org,=0D=0A=20=20=20=20=20=20=
 20=20Allan=20Jude=20<allanjude@freebsd.org>|Subject:=20Re:=20split
 ting=20ca_root_nss=20into=20component=20pem=20files|In-Reply-To:=2
 0<CACNAnaHcy5jLGDpU1jPrjnkDhnPm=3DXAzmWSekwCX92DyNeUDQw@mail.gmail
 .com>|References:=20<8f7cdfd9-7c4f-2e5d-948c-34ae45f1c9d@prime.gus
 hi.org>=20<CACNAnaHcy5jLGDpU1jPrjnkDhnPm=3DXAzmWSekwCX92DyNeUDQw@m
 ail.gmail.com>;
 b=nHQ85Fzz5hFnQso/Apox0k7pHtVyiIBs2J0QRqf4m+0BhWkmG2MEWl0tlQbep3Al3
 XySho7qogFwKnpW+FXntQi1vLPYGhKfSSQt/EeKAQVAMpwtcqY8NH5Ii7mDD8WAT5L
 JzGNUoQ3uUDU91oQfYps9QSX3vK4n3r81gwQDlP28BExbbnZ0iF+WQTOlI40Jp4A6w
 SDSV0w/zYWy5IwFajmNPMC5fVGHrcYKK3gRNVuwereBKvhi3PekPvgYaGEedojUNVV
 nFEk3ZZpRmvTOy9oBgxFEpuzSR/5ruUQfyBnsQDPetm+P2+iNb7x9ocJZVEpXNHMsk
 1rxVhSlle18Iw==
Received: (from danm@localhost)
 by prime.gushi.org (8.16.1/8.16.1/Submit) id 11CMZK6i045109;
 Fri, 12 Feb 2021 14:35:20 -0800 (PST) (envelope-from danm)
Date: Fri, 12 Feb 2021 14:35:20 -0800 (PST)
From: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
To: Kyle Evans <kevans@freebsd.org>
cc: "Dan Mahoney (Gushi)" <freebsd@gushi.org>, questions@freebsd.org,
 Allan Jude <allanjude@freebsd.org>
Subject: Re: splitting ca_root_nss into component pem files
In-Reply-To: <CACNAnaHcy5jLGDpU1jPrjnkDhnPm=XAzmWSekwCX92DyNeUDQw@mail.gmail.com>
Message-ID: <bcbc1724-8745-30e9-2f56-578f4d52e54@prime.gushi.org>
References: <8f7cdfd9-7c4f-2e5d-948c-34ae45f1c9d@prime.gushi.org>
 <CACNAnaHcy5jLGDpU1jPrjnkDhnPm=XAzmWSekwCX92DyNeUDQw@mail.gmail.com>
X-OpenPGP-Key-ID: 0x624BB249
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2
 (prime.gushi.org [0.0.0.0]); Fri, 12 Feb 2021 22:35:22 +0000 (UTC)
X-Rspamd-Queue-Id: 4DcpHB711bz4XJg
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-Mailman-Approved-At: Sat, 13 Feb 2021 14:44:58 +0000
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 22:35:36 -0000

On Fri, 12 Feb 2021, Kyle Evans wrote:

> On Fri, Feb 12, 2021 at 1:23 PM Dan Mahoney (Gushi) <freebsd@gushi.org> wrote:
>>
>> Allan (and all),
>>
>> I notice FreeBSD now comes with certctl which knows how to split and
>> manage trusted SSL certs.  FreeBSD 12.2 includes a /usr/share/ssl/certs
>> directory now (no mention of that in the release notes?) and a tool called
>> certctl.
>>
>> Certctl has (for some reason) been backported to 11.x, where there are no
>> individual certs provided by default, so I'm confused as to why this is.
>>
>
> I fully intended to ship 11.4 with them, but pulled them at the last
> minute due to some issues with certctl.
>
>> ca_root_nss only provides a monolithic cert.
>>
>> Some apps require a directory of hashes and symlinks.  This is common,
>> especially when you want to trust your local CA as well as the netscape
>> ones.  Additionally, some tools (like sendmail) seem to require the
>> symlinked approach.
>>
>> Is there a tool (installed with base, or from ports) that will do this
>> splitting of ca_root_nss, to some standard directory?  (certctl doesn't
>> appear to).
>>
>
> I have some local WIP that's going to split ca_root_nss out like the
> base bundle is, so that it's compatible with certctl and friends. My
> vision is that ca_root_nss will provide more expedient updates of the
> bundle to folks that need it on a better timeline than EN/SA can
> deliver.
>
>> Should this not be a standard thing in the pkg-message for ca_root_nss?
>>
>> (This seems to be a tangly problem to google).
>>
>> Note I solved this myself a few years back:
>> https://gushi.dreamwidth.org/1064679.html, but I'd like to have a "right"
>> answer.
>>
>> But...this feels like something that should have a base tool AND be in the
>> handbook, since the *removal* of a cert from ca_root_nss will cause users
>> to still trust it -- a clean rebuild should be possible.
>>
>
> Right, that's the problem I'm hoping to solve by splitting ca_root_nss up.

Okay.  From an architecture POV does that mean that effectively the port's 
makefile will fetch the main file and do the splitting, and then that each 
individual file will be added (with names similar to what are in 12.2) as 
part of the port's plist (which means you could see the provenance of them 
with pkg which?)

Because that would be sort of amazing.

The only question comes when you have a cert with the same hash installed 
by the base system *and* ca_root_nss.  (Or when freebsd-update pulls down 
a blacklist entry for a cert that's in base but still remains in 
ca_root_nss).

Thanks for this work.  I recognize that there's this weird fine line where 
the OS vendor doesn't want to say "you should trust these" but at the same 
time, should say "but you want ssl to work at all, right?".

-Dan


-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------