Date: Fri, 4 Mar 2016 12:24:10 -0500 From: Allan Jude <allanjude@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL) Message-ID: <56D9C4BA.1080901@freebsd.org> In-Reply-To: <20160304172003.GD26392@barfooze.de> References: <20160304172003.GD26392@barfooze.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB Content-Type: multipart/mixed; boundary="IJc4AJ0T6aw7QqxWBsfm4Bv188bOXMLVM" From: Allan Jude <allanjude@freebsd.org> To: freebsd-hackers@freebsd.org Message-ID: <56D9C4BA.1080901@freebsd.org> Subject: Re: Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL) References: <20160304172003.GD26392@barfooze.de> In-Reply-To: <20160304172003.GD26392@barfooze.de> --IJc4AJ0T6aw7QqxWBsfm4Bv188bOXMLVM Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016-03-04 12:20, Moritz Wilhelmy wrote: > Hello, >=20 > First off, I've been considering to report this as multiple bugs and it= > is a tough decision for me because I think there should be more interna= l > discussion about what the project thinks about the official location fo= r > CA root certificate storage, so I'm sending this to the lists instead, > and hoping I reach the right people. Please excuse any mistakes in this= > regard, I'm new on the lists. >=20 > Is there a guideline or official stance regarding where software should= > look for the CA Root certificate store? If not, I think there should be= =2E >=20 > Tested on FreeBSD 10.1 with curl 7.47.0 and wget 1.16 with OpenSSL from= > the base system and no OpenSSL port installed. >=20 > fetch > =3D=3D=3D=3D=3D >=20 > fetch looks for CA root certificates in /usr/local/etc/ssl/certs, which= > seems counterintuitive given that it is part of the base system. >=20 > Command used (for easy copy-pasting): > $ truss fetch -o /dev/null https://cacert.org 2>&1 | grep ^open >=20 > wget > =3D=3D=3D=3D >=20 > ftp/wget only looks at /etc/ssl/certs, which is again counterintuitive > given that it's a 3rd party package installed via the ports framework. >=20 > $ truss wget -O /dev/null https://cacert.org 2>&1 | grep ^open >=20 > curl > =3D=3D=3D=3D >=20 > curl with the ca-root-nss option only looks at the file installed by > that package that contains all NSS root certificates, but it completely= > ignores the CA certificate storage at /etc/ssl/certs as well as > ${LOCALBASE}/etc/ssl/certs, instead it only ever looks at > ${LOCALBASE}/share/certs/ca-root-nss.crt, where a sysadmin can't add > certificates without their changes being overwritten by subsequent > updates to the CA bundle package. (I've confirmed this via truss(1) but= > curl -v prints this path as well). >=20 > I haven't tried recompiling curl without the option to see where it > would look for root certificates. >=20 > $ truss curl -o /dev/null https://cacert.org 2>&1 | grep ^open >=20 >=20 > Best regards, >=20 > Moritz > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.o= rg" >=20 This recent patch may be of interest to you: https://svnweb.freebsd.org/base/head/lib/libfetch/common.c?revision=3D294= 326&view=3Dmarkup --=20 Allan Jude --IJc4AJ0T6aw7QqxWBsfm4Bv188bOXMLVM-- --vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJW2cS+AAoJEBmVNT4SmAt+s/sP/2kvoTKYxHJY+qAQLJIFdkSE oUcNrS1ZkYGgg0AOldjPhOgJPp1whewt0W3HWaT099rMozkZALX0JjXiI0bss4Zr AGwaTvghKcoFJErPvncUN8Z9v+iUVFD9OCFpzY+0JBek1IE/VIP+7KJAI+LmsdJk x/DNksPXE1to6jVHOmXwUwtQLV1Yrg4uD4xAfxH6iplIMzwkGD7roc0v/wXeXZsz 9Wq45rWdC4K9JHn3ukmyLmxdVptQYk6ofcUrPYLoRWq+fj/+Fe7ZGsGKPx3ch1fU VkkNlqUNNWOdxnjyjrgY95EMkF4BwxLJpS7/qPTvkc5h90PnMAuw99k4HaoHoZhk mgI6Mq5AufLcKjvdxhv+iCuqSiSYHNcx13j72Xo3Cjm2+HPV1U84FXmqpXEoS6DR 1IZZlhtSOeOKBy4vtspTc+/A3lueWNfSgt/03N0qqpA+MfAlH8O4mZcYLNYrTOGJ Xfv6yoNygXO2+einHhvejtP6PzRgCIBhB8hmEPGwCxfhx5PBOL3KiRUWHBIu5hp9 OkY3jjPXMNrvYhifbL4e4ShjGclj/r15zg2k8FQSe1KG6qO57SKJXxxPbdN0cGa6 do0IdbuI2R602ZndqxdDbzj3HvQ+um/Jkcy+lQ5K+CrQBpEWm0DcGG/PSpWSiOAn o8XhFNMpk/6JyVTy07a2 =fjXN -----END PGP SIGNATURE----- --vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56D9C4BA.1080901>