Date: Wed, 02 Jul 2014 20:55:07 -0500 From: Bryan Drewery <bdrewery@FreeBSD.org> To: d@delphij.net, freebsd-security@FreeBSD.ORG Cc: Ben Laurie <benl@freebsd.org>, gecko@FreeBSD.org, re <re@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>, FreeBSD Ports Management Team <portmgr@FreeBSD.org> Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <53B4B7FB.6070407@FreeBSD.org> In-Reply-To: <53B499B1.4090003@delphij.net> References: <53B499B1.4090003@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable +portmgr On 7/2/2014 6:45 PM, Xin Li wrote: > Hi, >=20 > Currently, FreeBSD does not install a default /etc/ssl/cert.pem > because we do not maintain one ourselves. We do, however, provide a > port, security/ca_root_nss, which have an option to install a symbolic > link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, > which is not the default option. >=20 > This become a problem when applications, e.g. fetch(8), have grown the > support of doing certificate validation. I think now it makes sense > to have a default cert.pem installed with the base system. >=20 > So my proposal would be: >=20 > 1. Import a set of trusted root certificates, and install if > MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >=20 > 2. In src/etc/Makefile, automatically create a symbolic link if it's > not already present in ${DESTDIR}/etc/ssl; >=20 > 3. Teach mergemaster(8) and other similar applications to create the > symbolic link on demand; >=20 > 4. Change the install/deinstall behavior of security/ca_root_nss: > ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on > install then overwrite with new symlink, and restore on deinstall. > ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, > install new a symlink; on deinstall, if > /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a > symlink to there, or remove if the file does not exist. >=20 > Comments/objections? >=20 > Cheers, Please see r266291. libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. The next step was to have the port always install the symlink there. It's fallen through the cracks though. This only allows fixing applications that use libfetch though and not other applications that expect a /etc/ssl/cert.pem like curl. I have no qualms about making security/ca_root_nss *always* install a symlink into /usr/local/etc/ssl, but touching base system is not usually proper for a port. There is this vague idea floating around that for package building, ports should never touch the base system (except /var/db or /var/games or /etc/*passwd*) and / should otherwise be read-only. This has not become a reality or had much discussion yet, though we do frown on overwriting base and touching base already. For example, the perl symlink in /usr/bin is phased out. I like the idea of the base system installing a symlink from /etc/ssl/cert.pem to *somewhere*. I like the idea of secteam maintaining a ca-root-freebsd.pem even better, as long as you are willing to. IMHO always install it, don't depend on MK_OPENSSL. Is the file actually specific to OpenSSL? Ports would love to have it be available all the time regardless of SSL library choices. --=20 Regards, Bryan Drewery --RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTtLf7AAoJEDXXcbtuRpfPjAsIAJKt4BxhLrrlgH5CWwo6rDPb hacMSak86hxnu3xF4xcaAWB5QktrdRI+pvPShDznD5cEXX4MRLbeyCaNUFW9ie+y zt02sZxyuD4KGkHPlkHEUhHBl/YviS7K08h4sW0YnTyjhvfTCz0EzHOvio2Qtmfp C7UInmOhRIa1HHsRdZUmD/4MeT8HsXqWq/5Ep1v40I0/fWNYQUrdClYmwAbCAvUZ iJHljEQ1uyns1mPJWTEk+FHIqretyqmCYPQeHIwLCg6eAn2wjoRELH2TFQyCiE0r 8MIDh9wUVl6FvqfHXO2u8tWYLnRxrhUMobJFpj+Q8m1u2/Jzx4msg1IuEXuEa9E= =9Ckg -----END PGP SIGNATURE----- --RvD1hUEl80fDRN1pdv53OEAOjgUNvbS38--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53B4B7FB.6070407>