From owner-freebsd-gecko@FreeBSD.ORG Thu Jan 31 19:40:01 2013 Return-Path: Delivered-To: gecko@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6BE8144B for ; Thu, 31 Jan 2013 19:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4319BD80 for ; Thu, 31 Jan 2013 19:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0VJe1NE000845 for ; Thu, 31 Jan 2013 19:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0VJe1mx000844; Thu, 31 Jan 2013 19:40:01 GMT (envelope-from gnats) Date: Thu, 31 Jan 2013 19:40:01 GMT Message-Id: <201301311940.r0VJe1mx000844@freefall.freebsd.org> To: gecko@FreeBSD.org From: Jan Beich Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Jan Beich List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2013 19:40:01 -0000 The following reply was made to PR ports/160387; it has been noted by GNATS. From: Jan Beich To: Romain Tartiere Cc: bug-followup@freebsd.org Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates Date: Fri, 01 Feb 2013 00:30:34 +0500 Romain Tartiere writes: > 1. Have some domain protected by some self-made certificate or e.g. cacert > 2. Install security/ca_root_nss and ftp/curl > 3. curl https://some.domain.example.com/ > ** fails ** > 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt > 5. curl https://some.domain.example.com/ > ** success ** This mostly depends on the app e.g., - openssl(1) only uses CA certs with -CApath or -CAfile - subversion (neon), lynx, etc. call SSL_CTX_set_default_verify_paths() - curl (openssl) hardcodes either /etc/ssl/certs/ or ${LOCALBASE}/share/certs/ca-root-nss.crt (CA_BUNDLE option) - curl (gnutls) hardcodes /etc/ssl/cert.pem - epiphany2 (gnutls?) accepts self-signed certificates without warning but otherwise hardcodes path to ca-root-nss.crt - firefox and chromium use hardcode CA certs into libnssckbi.so from a bundled copy of certdata.txt in nss port (not ca_root_nss) and a bit more detailed # add a shared self-signed certificate $ mkdir /etc/ssl/certs; cd /etc/ssl/certs $ openssl s_client -connect trillian.chruetertee.ch:https &0 | sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -fingerprint >freebsd-gecko.crt $ ln -sf freebsd-gecko.crt $(openssl x509 -hash -noout -in freebsd-gecko.crt).0 $ openssl s_client -connect trillian.chruetertee.ch:https -CApath /var/empty ... Verify return code: 0 (ok) $ curl https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/ ... $ HOME=/var/empty svn ls https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/ Gecko_ChangeLog Gecko_TODO Mk/ devel/ mail/ security/ www/ It may be worth to look at how other distros tried to solve the mess. https://fedoraproject.org/wiki/FedoraCryptoConsolidation http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_system