From owner-freebsd-ports@FreeBSD.ORG Sun Mar 31 00:45:03 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0B99D4F3 for ; Sun, 31 Mar 2013 00:45:03 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.grem.de (outcast.grem.de [213.239.217.27]) by mx1.freebsd.org (Postfix) with SMTP id 74F13257 for ; Sun, 31 Mar 2013 00:45:01 +0000 (UTC) Received: (qmail 39121 invoked by uid 89); 31 Mar 2013 00:44:59 -0000 Received: from unknown (HELO bsd64.grem.de) (mg@grem.de@79.251.0.25) by mail.grem.de with ESMTPA; 31 Mar 2013 00:44:59 -0000 Date: Sun, 31 Mar 2013 01:45:00 +0100 From: Michael Gmelin To: freebsd-ports@freebsd.org Subject: Re: Using bidirectional authentication in pkgng Message-ID: <20130331014500.4a03cc15@bsd64.grem.de> In-Reply-To: <50F9B6CC.3040303@infracaninophile.co.uk> References: <20130118035721.283135fb@bsd64.grem.de> <50F9B6CC.3040303@infracaninophile.co.uk> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.6; amd64-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Cc: Dag-Erling =?UTF-8?B?U23DuHJncmF2?= X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 00:45:03 -0000 On Fri, 18 Jan 2013 20:55:40 +0000 Matthew Seaman wrote: > On 18/01/2013 02:57, Michael Gmelin wrote: > > > c. libfetch really needs to get fixed to allow certificate > > verification in its fetchX* and fetchHTTP* functions when using > > HTTPS. fetch(3) is based on it and there is no indication anywhere > > whatsoever that no checks are done at all (none of the libfetch or > > fetch utility man pages mention it). >=20 > This would be useful functionality to add to libfetch. However, > support for DANE (RFC 6698) would be even better, IMHO. >=20 Hi Matthew, I implemented all the bits necessary back in January and discussed the patch with Dag at length. The final result was (well, IMHO) quite satisfactory, but then I got distracted by a couple of very tight deadlines until early March. I mailed the latest version of the patch to Dag, but didn't receive any feedback yet - it's been only a few weeks though. =46rom my perspective the patch is complete, since all the features I intended to implement have been implemented and tested according to the relevant RFCs. Adding DANE, like you suggested, would be great, but I don't have the time to acquire the expertise required right now. Plus implementing it is not a replacement for supporting a "traditional" SSL CA infrastructure. You can fetch the latest version of the patch at http://blog.grem.de/libfetch_20130307.patch (I didn't bother adding it to kern/175514, since AFAIK patches containing UTF-8 characters are still broken in the PR system). I wrote a tutorial, available at http://goo.gl/tW7P3 [1], on how to actually take advantage of the features provided by the patch in a fully trusted and bidirectionally authenticated pkgng setup, I hope this useful to somebody else. We'll roll out a very similar setup on all of our servers in the near future. I'd like to see the patches to libfetch/fetch make it to base, since I think these features just have to be in there, regardless of what you think of traditional PKI infrastructures. Cheers, Michael [1] http://blog.grem.de/sysadmin/Trusted-Package-Distribution-With-pkgng-2013-0= 3-30.html --=20 Michael Gmelin