From nobody Tue Aug 26 09:14:27 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cB26Y6XZ8z65HWf; Tue, 26 Aug 2025 09:14:29 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cB26Y5d48z3l1C; Tue, 26 Aug 2025 09:14:29 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1756199669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TG4nh0Cs6Ft7RB/3pGfF+pHgmdVHpV5rKjcmrQdQMaE=; b=g/+PvbWxrXlILGoiby4yS3M/h3TsHXraPKVCWfjCBeJBfQ/pn/wyC7WS3AhlU0JGZDv0/e 4CtG/QZqSLKP4yoOk+na/A+jtbabl8PMz/KgHRh75/B0vFjT1QSxbhD7Zmt42yzw/9cJXx f3gRdY2POcJYYkzgB0FEGN6bbaz5SQ2zGmj4hsfyTZTVKGymLTnVWQ0dK73nksHBWXcaE2 vfoKnNBD9c0DDVPbI1h+2qth4YMrFgu4HBS3IVujVpieBCQzqDeZ+apGEIYLXiSLOWsPHI x208rTc/FCFOU79VTBKAES6QHVyI4uYH1tfLXQC3RXHTJCy6QFX2cLeCAS4CkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1756199669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TG4nh0Cs6Ft7RB/3pGfF+pHgmdVHpV5rKjcmrQdQMaE=; b=yLYJCjASJfRJVPDP+wQz9zSPQJvLNjjjNXmNMsMRE0BBMIMM3p8m/Ya62G0SgbNiYQ64aT yGzmNYT7qlJS96u8Ll6x1FwOKxVuykQI8PqnxIjss7GjSRgBsydLiMHwj0guB5vipXvEqx sMeEb37TCWQNj3jlQ+mU8/5tUbcUNlgU+JL94ScbjPblIB02N8z9SC/1T6I8eZJJned/mZ ZO5NQMKm+JQOp3frl9mx71JTAV4iphajE2/CRgT9CplOQrw/1NN9j8BmT+cWL3gSznKegu w0W40HUQzsUDwjQ3SPf+Gl0yrIrZaUya/CJJPl/LOQplfdH3C1F40ZDuxSnkbg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1756199669; a=rsa-sha256; cv=none; b=GNAxDPQVhnNoqUiE3C20U8lse/CLG/ZoqCYdcbIG+tONVqcXf2Ka3S9RTYyFGm+F+MmxsS omjPPbnIodVnFK9W9Ln/VG6gefk8JRWDHACDPaVkaelGK2XDg6kVew7JhlqEwT+CxciIqr Hj9bI34q7uQLb4HQmhFGw0sY1loyILJVJfYSvr7woB6ExoynwicHj68/OsDcEjxTYDy+IK I90QMxPlO1lGC66s/6JR535651/ZPRVRYKjvli+XbZRH3yy/J1HQl5ilprGRgMFlLut1Qb IWv592WIvSgj3W1Rm4v2J2kK8+aOBIJyUHFanx7eMoJxAXCoDdOA4oLFIHUrRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from ltc.des.dev (unknown [IPv6:2a01:e0a:c54:bed0:922e:16ff:fef1:acef]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4cB26Y46N5zQnl; Tue, 26 Aug 2025 09:14:29 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 746F83C2EA; Tue, 26 Aug 2025 11:14:27 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Kyle Evans Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: b88b0bb784c7 - main - caroot: Generate both trusted and untrusted In-Reply-To: (Kyle Evans's message of "Mon, 25 Aug 2025 17:30:39 -0500") References: <202508252142.57PLgh5i068682@gitrepo.freebsd.org> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Tue, 26 Aug 2025 11:14:27 +0200 Message-ID: <86ecsyv40c.fsf@ltc.des.dev> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Kyle Evans writes: > That's great, thanks! I do notice one case if I run this today: > > deleted: trusted/Baltimore_CyberTrust_Root.pem > > This would traditionally get moved (by me) into untrusted/ so that `certc= tl rehash` > would do the right thing, but... This one got dropped from the Mozilla data. I haven't looked at their commit history so I don't know why. Seven other certificates moved from trusted to untrusted, two because they expired and the others because Mozilla switched their trust to =E2=80=9Cmust verify=E2=80=9D. See D52158. > I started typing this out and realized that we would have removed the con= tents of > /etc/ssl/certs before rehashing so that stale entries don't stick around,= and the source > certs in /usr/share/certs/trusted should be in ObsoleteFiles.inc and remo= ved by > `make delete-old`. We should probably call bankruptcy on the untrusted/ = dir entirely and > regenerate it completely from today's world with our next update, and upd= ate README in > secure/caroot to avoid recommending silly practices. I'm starting to think that we should actually not install untrusted certificates at all. They mean nothing to OpenSSL or any other TLS library, the only effect they have is to prevent certctl from adding the certificate to the trusted list if it shows up elsewhere, e.g. in ca_root_nss. But the more likely scenario is that a certificate is trusted in base (which is older) but no longer trusted in ca_root_nss (which is newer) and we don't get negative trust from ca_root_nss, so it will still be trusted until maybe an EN removes it from base. And then we have the case of the Baltimore CyberTrust Root above which Mozilla just dropped outright. With the current certctl implementation, it will remain trusted forever. This points toward the following: * certctl should stop ingesting /etc/ssl and construct a new trust store based solely on /usr/share/certs and /usr/local/share/certs, to avoid perpetuating certificates that once were trusted but no longer are * certctl should check the expiry date on trusted certificates and drop expired ones * we should stop shipping /usr/share/certs/untrusted * certctl should stop generating /etc/ssl/untrusted the way it does today * /etc/ssl/untrusted should only be used to store certificates which the admin has manually distrusted DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org