Date: Sun, 31 Mar 2013 01:45:00 +0100 From: Michael Gmelin <freebsd@grem.de> To: freebsd-ports@freebsd.org Cc: Dag-Erling =?UTF-8?B?U23DuHJncmF2?= <des@des.no> Subject: Re: Using bidirectional authentication in pkgng Message-ID: <20130331014500.4a03cc15@bsd64.grem.de> In-Reply-To: <50F9B6CC.3040303@infracaninophile.co.uk> References: <20130118035721.283135fb@bsd64.grem.de> <50F9B6CC.3040303@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Jan 2013 20:55:40 +0000 Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > On 18/01/2013 02:57, Michael Gmelin wrote: > > > c. libfetch really needs to get fixed to allow certificate > > verification in its fetchX* and fetchHTTP* functions when using > > HTTPS. fetch(3) is based on it and there is no indication anywhere > > whatsoever that no checks are done at all (none of the libfetch or > > fetch utility man pages mention it). >=20 > This would be useful functionality to add to libfetch. However, > support for DANE (RFC 6698) would be even better, IMHO. >=20 Hi Matthew, I implemented all the bits necessary back in January and discussed the patch with Dag at length. The final result was (well, IMHO) quite satisfactory, but then I got distracted by a couple of very tight deadlines until early March. I mailed the latest version of the patch to Dag, but didn't receive any feedback yet - it's been only a few weeks though. =46rom my perspective the patch is complete, since all the features I intended to implement have been implemented and tested according to the relevant RFCs. Adding DANE, like you suggested, would be great, but I don't have the time to acquire the expertise required right now. Plus implementing it is not a replacement for supporting a "traditional" SSL CA infrastructure. You can fetch the latest version of the patch at http://blog.grem.de/libfetch_20130307.patch (I didn't bother adding it to kern/175514, since AFAIK patches containing UTF-8 characters are still broken in the PR system). I wrote a tutorial, available at http://goo.gl/tW7P3 [1], on how to actually take advantage of the features provided by the patch in a fully trusted and bidirectionally authenticated pkgng setup, I hope this useful to somebody else. We'll roll out a very similar setup on all of our servers in the near future. I'd like to see the patches to libfetch/fetch make it to base, since I think these features just have to be in there, regardless of what you think of traditional PKI infrastructures. Cheers, Michael [1] http://blog.grem.de/sysadmin/Trusted-Package-Distribution-With-pkgng-2013-0= 3-30.html --=20 Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130331014500.4a03cc15>