From owner-freebsd-security@FreeBSD.ORG Thu Jul 3 14:23:12 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AE5792FA for ; Thu, 3 Jul 2014 14:23:12 +0000 (UTC) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6A42C2E5D for ; Thu, 3 Jul 2014 14:23:11 +0000 (UTC) Received: from [10.20.30.90] (50-1-51-60.dsl.dynamic.fusionbroadband.com [50.1.51.60]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s63EN3ON025518 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 3 Jul 2014 07:23:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-1-51-60.dsl.dynamic.fusionbroadband.com [50.1.51.60] claimed to be [10.20.30.90] Content-Type: multipart/signed; boundary="Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? From: Paul Hoffman In-Reply-To: <53B499B1.4090003@delphij.net> Date: Thu, 3 Jul 2014 07:22:58 -0700 Message-Id: <0C0E9D45-1E4E-4672-A19D-83D9E4A094D0@vpnc.org> References: <53B499B1.4090003@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.1878.6) X-Mailman-Approved-At: Thu, 03 Jul 2014 14:46:53 +0000 Cc: freebsd-security@FreeBSD.ORG X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 14:23:12 -0000 --Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Jul 2, 2014, at 4:45 PM, Xin Li wrote: > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. We do, however, provide a > port, security/ca_root_nss, which have an option to install a symbolic > link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, > which is not the default option. >=20 > This become a problem when applications, e.g. fetch(8), have grown the > support of doing certificate validation. I think now it makes sense > to have a default cert.pem installed with the base system. >=20 > So my proposal would be: >=20 > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >=20 > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; >=20 > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; >=20 > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. >=20 > Comments/objections? It seems like a good plan. As long as people who have a different trust = list than Mozilla can easily implement their own trust plan, it's fine, = and this brings a lot of ease-of-use to the ports, particularly to = common ones like wget. --Paul Hoffman --Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTtWdGAAoJEJz/fXByZmLZFQ0IAK4+FHvjCfb9UhkgpRHEwmGC U+098qOaEG0A6OHEjmzBRzaNQhV/zdQPyN2eTeJendbfir547ctzFlqsoFWXRi3i O9JsmMaXU+lJLy0lKoZABn8sVqUFVekq47BKhti4VOjH5VCnZcR+m/xxapA5Jq// 6iZjz1hOlkBWo6MV4QfWQv5BmDA4afSD83GJcd7lI3ie2rErzBVhXy3CyecZgoEx ulO2EiqepKwkx2bEOxvxbFIOLdNUN6tQ5JXOnmuB2Eh43p5jXY1cDjpxCL5RFh4E vIBjqVzB7zUatOB1NedG0M8KiPwATB8XrkoJxorCLGVsuG3NUyNfKKP7g8nbcoI= =LYck -----END PGP SIGNATURE----- --Apple-Mail=_55949E73-66F1-46BC-8F9D-ACBDA1677AD7--