From owner-freebsd-ports-bugs@freebsd.org Thu Nov 9 12:59:21 2017 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B5E9E4F819 for ; Thu, 9 Nov 2017 12:59:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5880064F0F for ; Thu, 9 Nov 2017 12:59:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vA9CxLB4034939 for ; Thu, 9 Nov 2017 12:59:21 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 223562] SSL certificate store issues - possible solution (affects ca_root_nss, nss, openssl/base) Date: Thu, 09 Nov 2017 12:59:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rocky@herveybayaustralia.com.au X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2017 12:59:21 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223562 Bug ID: 223562 Summary: SSL certificate store issues - possible solution (affects ca_root_nss, nss, openssl/base) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: rocky@herveybayaustralia.com.au There have been a number of issues raised regarding various difficulties wi= th ca_root_nss and local certificates that should be trusted (see 160387 - certificate store combining local and root certificates; 189811 - missing /etc/ssl/cert.pem (heated discussion over paranoia level required). Basic functionality needs to be provided OOB for users, but but breaking local requirements/policies for certificate trusts needs to be simplified for sysadmin. A way for these issues to be addressed in a coherent and minimal fashion ne= eds to be provided. Ability for greater functionality and ease of administratio= n is also a bonus. Other platforms have seen the same issue, and many different solutions have been offered; but widely the consensus has been to provide a central store for all certificates systemwide, linking both openssl and nss engines. As such a proposal is to leave base as is, but where ports are concerned use nss to maintain certificates, and output the trusted to a cert.pem file for openssl/libressl. Advantages: - ca_root_nss already uses nss but parses the text source to produce the cert.pem file. Instead of covert use we're switching to overt. (Curl uses t= he same - but can use nss) - sysadmins can "trust" which certificates they want - even from the mozilla ROOTS - updates to the root list will occur via the libnssckbi.so file and not interfere with local trusted certificates - possible (currently experimental?) bridge between openssl and nss certifi= cate store - a central store could mean user apps such as firefox could automatically trust local certificates as they can be set to use a shared database direct= ly or imported from the system db Disadvantages: - could be slightly more space required for nss - number of ports dependent on ca_root_nss will need to be adjusted - what = to test when dependency checking? nss certificate store db can placed anywhere in theory (firefox/thunderbird= use profile dirs), but theoretical "default" is suggested to be /etc/pki/nssdb.= In line with freebsd convention, ${LOCALBASE}/etc/pki/nssdb would be best. This would mean the nss port would be required to trigger creation of the db using modutil -create -dbdir sql:${DB}, an option to use libnssckbi.so using modutil -dbdir ${DB} -add ca_roots -libfile ${LOCALBASE}/lib/nss/libnssckbi= .so (or the p11-kit equivalent), and either an option (default on) to create cert.pem of _all_ trusted certificates in /usr/local/etc/ssl, with a symlin= k to /etc/ssl, or port (replace ca_root_nss?) to complete. (Preference would be = an option in nss - port that doesn't install anything wouldn't make sense in t= he infrastructure). Creation of the cert.pem file is then as easy as piping and outputting the following to cert.pem: #!/bin/sh # accept output from: certutil -d sql:${db} -L -h all | grep "\([CPTu]\{0,3\},\)\{2\}[CPTu]\{0,3\}" | sed 's/\([CPTu]\{0,3\},\)\{2\}[CPTu]\{0,3\}//' | trusted_certs.sh > cert.pem && certutil -d sql:${db} -L | grep "\([CPTu]\{0,3\},\)\{2\}[CPTu]\{0,3\}" | sed 's/\([CPTu]\{0,3\},\)\{2\}[CPTu]\{0,3\}//' | trusted_certs.sh >> cert.pem db =3D "sql:${LOCALBASE}/etc/pki/nssdb" # this could be better to use make = env while read input; do certutil -d $db -L -n "$input" certutil -d $db -L -a -n "$input" done --=20 You are receiving this mail because: You are the assignee for the bug.=