From owner-freebsd-hackers@freebsd.org Fri Mar 4 17:20:08 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD7C49DB856; Fri, 4 Mar 2016 17:20:08 +0000 (UTC) (envelope-from mw+freebsd@barfooze.de) Received: from hindenburg.barfooze.de (smtp6.barfooze.de [IPv6:2001:bc8:397c:500::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 74849BE9; Fri, 4 Mar 2016 17:20:08 +0000 (UTC) (envelope-from mw+freebsd@barfooze.de) Received: from barfooze.de (localhost [IPv6:::1]) by hindenburg.barfooze.de (8.14.9/8.14.9) with SMTP id u24HK4IA015242; Fri, 4 Mar 2016 18:20:04 +0100 (CET) (envelope-from mw+freebsd@barfooze.de) Date: Fri, 4 Mar 2016 18:20:04 +0100 From: Moritz Wilhelmy To: freebsd-hackers@freebsd.org, freebsd-ports@freebsd.org, freebsd-questions@freebsd.org Subject: Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL) Message-ID: <20160304172003.GD26392@barfooze.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160301025156.GC26392@barfooze.de> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2016 17:20:08 -0000 Hello, First off, I've been considering to report this as multiple bugs and it is a tough decision for me because I think there should be more internal discussion about what the project thinks about the official location for CA root certificate storage, so I'm sending this to the lists instead, and hoping I reach the right people. Please excuse any mistakes in this regard, I'm new on the lists. Is there a guideline or official stance regarding where software should look for the CA Root certificate store? If not, I think there should be. Tested on FreeBSD 10.1 with curl 7.47.0 and wget 1.16 with OpenSSL from the base system and no OpenSSL port installed. fetch ===== fetch looks for CA root certificates in /usr/local/etc/ssl/certs, which seems counterintuitive given that it is part of the base system. Command used (for easy copy-pasting): $ truss fetch -o /dev/null https://cacert.org 2>&1 | grep ^open wget ==== ftp/wget only looks at /etc/ssl/certs, which is again counterintuitive given that it's a 3rd party package installed via the ports framework. $ truss wget -O /dev/null https://cacert.org 2>&1 | grep ^open curl ==== curl with the ca-root-nss option only looks at the file installed by that package that contains all NSS root certificates, but it completely ignores the CA certificate storage at /etc/ssl/certs as well as ${LOCALBASE}/etc/ssl/certs, instead it only ever looks at ${LOCALBASE}/share/certs/ca-root-nss.crt, where a sysadmin can't add certificates without their changes being overwritten by subsequent updates to the CA bundle package. (I've confirmed this via truss(1) but curl -v prints this path as well). I haven't tried recompiling curl without the option to see where it would look for root certificates. $ truss curl -o /dev/null https://cacert.org 2>&1 | grep ^open Best regards, Moritz