Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 03 Jul 2014 13:37:37 -0230
From:      Jonathan Anderson <jonathan@FreeBSD.org>
To:        Eitan Adler <lists@eitanadler.com>
Cc:        d@delphij.net, Ben Laurie <benl@freebsd.org>, gecko@freebsd.org, Bryan Drewery <bdrewery@freebsd.org>, freebsd-security@freebsd.org, FreeBSD Ports Management Team <portmgr@freebsd.org>, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>
Subject:   Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Message-ID:  <53B57FC9.4080302@FreeBSD.org>
In-Reply-To: <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>
References:  <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Eitan Adler wrote:
> Perhaps we should remove HTTPS support from libfetch and require the
> user to install wget or curl if they want to use SSL?  Having a
> *default* certificate bundle (that could be removed / edited, of
> course) is not necessarily even making a trust claim about a
> particular cert. [0]   IMHO the position where the majority of SSL on
> the internet is broken by default is not tenable.
>
> We support HTTP.  We don't support HTTPS.  The browsers spend a lot of
> time on this problem. We don't.  I am not asserting that the Mozilla
> set is perfect.  I am asserting that we should have *functional* SSL
> in the base system, and that using the Mozilla set is a good way to
> obtain that with a good enough policy.

I think it's useful to provide the *mechanism* (libfetch does validation 
of whatever certs you put in /usr/local/etc/ssl), I'm just saying that 
we should be very conservative about *policy*: we can vouch for exactly 
one certificate, and that's the one we control. Vendors who base their 
products on FreeBSD might choose to pre-populate /etc/ssl with 
ca-freebsd.pem and ca-vendor.pem, while people who install FreeBSD boxes 
can choose to install a CA bundle package to /usr/local/etc/ssl.

I do see a couple of potential solutions to the "I can't fetch anything 
on my clean install" problem. First, we can make sure that CA bundles 
are in the set of packages we put on the install media, so the person 
installing the OS can choose to adopt the "accept whatever CAs Mozilla 
likes" policy (or the "accept CAs that Dr Paranoid likes" policy). 
Second, we could let interactive 'fetch' warn users about unrecognized 
CAs (different from validation failures) and prompt as to whether or not 
they want to continue with the fetching. That behaviour would be no 
worse than manually specifying --no-verify-peer, which is the logical 
next step when you see a missing CA error today.


Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53B57FC9.4080302>