Date: Thu, 31 Jan 2013 19:40:01 GMT From: Jan Beich <jbeich@tormail.org> To: gecko@FreeBSD.org Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates Message-ID: <201301311940.r0VJe1mx000844@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/160387; it has been noted by GNATS. From: Jan Beich <jbeich@tormail.org> To: Romain Tartiere <romain@FreeBSD.org> Cc: bug-followup@freebsd.org Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates Date: Fri, 01 Feb 2013 00:30:34 +0500 Romain Tartiere <romain@FreeBSD.org> writes: > 1. Have some domain protected by some self-made certificate or e.g. cacert > 2. Install security/ca_root_nss and ftp/curl > 3. curl https://some.domain.example.com/ > ** fails ** > 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt > 5. curl https://some.domain.example.com/ > ** success ** This mostly depends on the app e.g., - openssl(1) only uses CA certs with -CApath or -CAfile - subversion (neon), lynx, etc. call SSL_CTX_set_default_verify_paths() - curl (openssl) hardcodes either /etc/ssl/certs/ or ${LOCALBASE}/share/certs/ca-root-nss.crt (CA_BUNDLE option) - curl (gnutls) hardcodes /etc/ssl/cert.pem - epiphany2 (gnutls?) accepts self-signed certificates without warning but otherwise hardcodes path to ca-root-nss.crt - firefox and chromium use hardcode CA certs into libnssckbi.so from a bundled copy of certdata.txt in nss port (not ca_root_nss) and a bit more detailed # add a shared self-signed certificate $ mkdir /etc/ssl/certs; cd /etc/ssl/certs $ openssl s_client -connect trillian.chruetertee.ch:https </dev/null 2>&0 | sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -fingerprint >freebsd-gecko.crt $ ln -sf freebsd-gecko.crt $(openssl x509 -hash -noout -in freebsd-gecko.crt).0 $ openssl s_client -connect trillian.chruetertee.ch:https -CApath /var/empty ... Verify return code: 0 (ok) $ curl https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/ <?xml version="1.0"?> ... $ HOME=/var/empty svn ls https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/ Gecko_ChangeLog Gecko_TODO Mk/ devel/ mail/ security/ www/ It may be worth to look at how other distros tried to solve the mess. https://fedoraproject.org/wiki/FedoraCryptoConsolidation http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_system
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301311940.r0VJe1mx000844>