From nobody Wed Jun 30 11:53:25 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6ABF611E5A8E for ; Wed, 30 Jun 2021 11:53:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GFKVY2XCLz3R7B for ; Wed, 30 Jun 2021 11:53:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3FE3D43DC for ; Wed, 30 Jun 2021 11:53:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15UBrPUw060942 for ; Wed, 30 Jun 2021 11:53:25 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15UBrPLv060941 for bugs@FreeBSD.org; Wed, 30 Jun 2021 11:53:25 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 256902] libfetch breaks usage of certctl managed store when security/ca_root_nss is installed Date: Wed, 30 Jun 2021 11:53:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 12.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: michael.osipov@siemens.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256902 Bug ID: 256902 Summary: libfetch breaks usage of certctl managed store when security/ca_root_nss is installed Product: Base System Version: 12.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: michael.osipov@siemens.com I have already discussed this some time ago with kevans@ who wanted to talk with bapt@ about this, but we never have got around to report an actual iss= ue. We heavily rely on certctl(8) developed by allanjude@ and kevans@ to add all root and intermediate CAs for Siemens in /usr/local/share/certs: > # certctl list | grep -i -e "QuoVadis Enterprise" -e Siemens > 0e436b80.0 Siemens Issuing CA Class OneAD 04 > 0e91b229.0 Siemens Issuing CA Class OneAD 14 > 17c10339.0 Siemens Issuing CA Class OneAD 05 > 1c683ff3.0 Siemens Issuing CA Class OneAD 13 > 1c7620aa.0 Siemens Issuing CA Internet Code Signing 2016 > 1d069c00.0 Siemens Issuing CA Class OneAD 10 > 2b9d74f0.0 Siemens Issuing CA EE Network Smartcard Auth 2016 > 31e09dd6.0 Siemens Issuing CA Class OneAD 11 > 3210d285.0 Siemens Issuing CA Class OneAD 03 > 4ca5f54b.0 QuoVadis Enterprise Trust CA 2 G3 > 55683be0.0 Siemens Issuing CA EE Auth 2020 > 681ad634.0 Siemens Issuing CA Internet Server 2016 > 780389f9.0 QuoVadis Enterprise Trust CA 1 G3 > 7b1c186e.0 Siemens Issuing CA Class OneAD 06 > 81841955.0 Siemens Issuing CA EE Network Smartcard Auth 2020 > 8aac0ad6.0 Siemens Issuing CA EE Enc 2020 > 8af2d467.0 Siemens OneAD Root CA > 8dc03e53.0 Siemens Internet CA V1.0 > 9245e478.0 Siemens Issuing CA Class OneAD 02 > 930b5fed.0 Siemens Issuing CA Multi Purpose 2016 > 970040fc.0 Siemens Issuing CA Class OneAD 09 > 9ec27e42.0 Siemens Issuing CA Intranet Server 2016 > a331fcb4.0 Siemens Issuing CA EE Auth 2016 > a382b08f.0 Siemens Trust Center Root-CA V2.0 > aec1ff25.0 Siemens Issuing CA Class OneAD 08 > b428065f.0 Siemens Issuing CA EE Enc 2016 > b5d79467.0 QuoVadis Enterprise Trust CA 3 G3 > bc2924b7.0 Siemens Issuing CA Class OneAD 01 > bd411d1f.0 Siemens Issuing CA Class OneAD 00 > be133774.0 Siemens Issuing CA Medium Strength Authentication 2020 > c2cf79c6.0 Siemens Issuing CA Class OneAD 12 > d4555404.0 Siemens Issuing CA Intranet Server 2017 > d7532a42.0 Siemens Issuing CA Internet Server 2017 > d9d79a66.0 Siemens Root CA V3.0 2016 > ddc2d14f.0 Siemens Issuing CA MSA Impersonalized Entities 2016 > e6a60b73.0 Siemens Issuing CA Intranet Code Signing 2016 > f103366b.0 Siemens Issuing CA Class OneAD 07 > f38f510d.0 Siemens Issuing CA Medium Strength Authentication 2016 So all applications linked to OpenSSL will use this store out of the box w/o any further configuration. Now, when I use fetch/pkg (libfetch) to get files hosted on corporate serve= rs certificate verification fails when some port/package (transitive dependenc= y) requires the security/ca_root_nss pestilence for some reason. The reason is that libfetch has not been modified when certctl(8) introduce= d. The fauly code is (https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a= 51307f9f2e/lib/libfetch/common.c#L1082-L1105): > if (getenv("SSL_NO_VERIFY_PEER") =3D=3D NULL) { > ca_cert_file =3D getenv("SSL_CA_CERT_FILE"); > if (ca_cert_file =3D=3D NULL && > access(LOCAL_CERT_FILE, R_OK) =3D=3D 0) > ca_cert_file =3D LOCAL_CERT_FILE; This is installed by the security/ca_root_nss port thus > if (ca_cert_file =3D=3D NULL && > access(BASE_CERT_FILE, R_OK) =3D=3D 0) > ca_cert_file =3D BASE_CERT_FILE; > ca_cert_path =3D getenv("SSL_CA_CERT_PATH"); > if (verbose) { > fetch_info("Peer verification enabled"); > if (ca_cert_file !=3D NULL) > fetch_info("Using CA cert file: %s", > ca_cert_file); > if (ca_cert_path !=3D NULL) > fetch_info("Using CA cert path: %s", > ca_cert_path); > if (ca_cert_file =3D=3D NULL && ca_cert_path =3D=3D NULL) > fetch_info("Using OpenSSL default " > "CA cert file and path"); > } > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, > fetch_ssl_cb_verify_crt); > if (ca_cert_file !=3D NULL || ca_cert_path !=3D NULL) > SSL_CTX_load_verify_locations(ctx, ca_cert_file, > ca_cert_path); > else > SSL_CTX_set_default_verify_paths(ctx); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This never gets activated. I currently addded a workaround to login.conf SSL_CA_CERT_PATH=3D/etc/ssl/certs, but it still has problems: https://github.com/BastilleBSD/bastille/issues/410 A user's/admin's expectation is that the default system store is used unless otherwise configured. I did neither install BASE_CERT_FILE nor LOCAL_CERT_F= ILE, it has been imposed by others. So fetch provides --ca-cert and --ca-path which shall override the default store IF they are provided by the user OR SSL_CA_CERT_PATH/SSL_CA_CERT_FILE= are set. kevans@ and we also concluded that security/ca_root_nss has very little use sinse there is /etc/ssl/certs now and it could be reduced/removed at some p= oint in time. There ports > # grep -rl --include=3D'*/Makefile' ca_root_nss . | wc -l > 115 need to be revisited why they require security/ca_root_nss. --=20 You are receiving this mail because: You are the assignee for the bug.=