From owner-freebsd-hackers@freebsd.org Fri Mar 4 17:24:21 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D02719DBB2F for ; Fri, 4 Mar 2016 17:24:21 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 93378F6 for ; Fri, 4 Mar 2016 17:24:21 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id F3119DBDA for ; Fri, 4 Mar 2016 17:24:14 +0000 (UTC) Subject: Re: Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL) To: freebsd-hackers@freebsd.org References: <20160304172003.GD26392@barfooze.de> From: Allan Jude Message-ID: <56D9C4BA.1080901@freebsd.org> Date: Fri, 4 Mar 2016 12:24:10 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <20160304172003.GD26392@barfooze.de> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2016 17:24:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB Content-Type: multipart/mixed; boundary="IJc4AJ0T6aw7QqxWBsfm4Bv188bOXMLVM" From: Allan Jude To: freebsd-hackers@freebsd.org Message-ID: <56D9C4BA.1080901@freebsd.org> Subject: Re: Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL) References: <20160304172003.GD26392@barfooze.de> In-Reply-To: <20160304172003.GD26392@barfooze.de> --IJc4AJ0T6aw7QqxWBsfm4Bv188bOXMLVM Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016-03-04 12:20, Moritz Wilhelmy wrote: > Hello, >=20 > First off, I've been considering to report this as multiple bugs and it= > is a tough decision for me because I think there should be more interna= l > discussion about what the project thinks about the official location fo= r > CA root certificate storage, so I'm sending this to the lists instead, > and hoping I reach the right people. Please excuse any mistakes in this= > regard, I'm new on the lists. >=20 > Is there a guideline or official stance regarding where software should= > look for the CA Root certificate store? If not, I think there should be= =2E >=20 > Tested on FreeBSD 10.1 with curl 7.47.0 and wget 1.16 with OpenSSL from= > the base system and no OpenSSL port installed. >=20 > fetch > =3D=3D=3D=3D=3D >=20 > fetch looks for CA root certificates in /usr/local/etc/ssl/certs, which= > seems counterintuitive given that it is part of the base system. >=20 > Command used (for easy copy-pasting): > $ truss fetch -o /dev/null https://cacert.org 2>&1 | grep ^open >=20 > wget > =3D=3D=3D=3D >=20 > ftp/wget only looks at /etc/ssl/certs, which is again counterintuitive > given that it's a 3rd party package installed via the ports framework. >=20 > $ truss wget -O /dev/null https://cacert.org 2>&1 | grep ^open >=20 > curl > =3D=3D=3D=3D >=20 > curl with the ca-root-nss option only looks at the file installed by > that package that contains all NSS root certificates, but it completely= > ignores the CA certificate storage at /etc/ssl/certs as well as > ${LOCALBASE}/etc/ssl/certs, instead it only ever looks at > ${LOCALBASE}/share/certs/ca-root-nss.crt, where a sysadmin can't add > certificates without their changes being overwritten by subsequent > updates to the CA bundle package. (I've confirmed this via truss(1) but= > curl -v prints this path as well). >=20 > I haven't tried recompiling curl without the option to see where it > would look for root certificates. >=20 > $ truss curl -o /dev/null https://cacert.org 2>&1 | grep ^open >=20 >=20 > Best regards, >=20 > Moritz > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.o= rg" >=20 This recent patch may be of interest to you: https://svnweb.freebsd.org/base/head/lib/libfetch/common.c?revision=3D294= 326&view=3Dmarkup --=20 Allan Jude --IJc4AJ0T6aw7QqxWBsfm4Bv188bOXMLVM-- --vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJW2cS+AAoJEBmVNT4SmAt+s/sP/2kvoTKYxHJY+qAQLJIFdkSE oUcNrS1ZkYGgg0AOldjPhOgJPp1whewt0W3HWaT099rMozkZALX0JjXiI0bss4Zr AGwaTvghKcoFJErPvncUN8Z9v+iUVFD9OCFpzY+0JBek1IE/VIP+7KJAI+LmsdJk x/DNksPXE1to6jVHOmXwUwtQLV1Yrg4uD4xAfxH6iplIMzwkGD7roc0v/wXeXZsz 9Wq45rWdC4K9JHn3ukmyLmxdVptQYk6ofcUrPYLoRWq+fj/+Fe7ZGsGKPx3ch1fU VkkNlqUNNWOdxnjyjrgY95EMkF4BwxLJpS7/qPTvkc5h90PnMAuw99k4HaoHoZhk mgI6Mq5AufLcKjvdxhv+iCuqSiSYHNcx13j72Xo3Cjm2+HPV1U84FXmqpXEoS6DR 1IZZlhtSOeOKBy4vtspTc+/A3lueWNfSgt/03N0qqpA+MfAlH8O4mZcYLNYrTOGJ Xfv6yoNygXO2+einHhvejtP6PzRgCIBhB8hmEPGwCxfhx5PBOL3KiRUWHBIu5hp9 OkY3jjPXMNrvYhifbL4e4ShjGclj/r15zg2k8FQSe1KG6qO57SKJXxxPbdN0cGa6 do0IdbuI2R602ZndqxdDbzj3HvQ+um/Jkcy+lQ5K+CrQBpEWm0DcGG/PSpWSiOAn o8XhFNMpk/6JyVTy07a2 =fjXN -----END PGP SIGNATURE----- --vPPCAQStQeSusQ81fPnrJarbC5sbMoBWB--