From nobody Mon Jan 23 21:15:57 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P130c2MQPz3bQt4 for ; Mon, 23 Jan 2023 21:20:16 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4P130b31tWz3CLw for ; Mon, 23 Jan 2023 21:20:15 +0000 (UTC) (envelope-from news@mips.inka.de) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of news@mips.inka.de has no SPF policy when checking 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c) smtp.mailfrom=news@mips.inka.de; dmarc=none Received: from mips.inka.de (news@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1pK4EW-00C7cw-Gr; Mon, 23 Jan 2023 22:20:04 +0100 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.16.1/8.16.1) with ESMTP id 30NLFvCQ069653 for ; Mon, 23 Jan 2023 22:15:57 +0100 (CET) (envelope-from news@lorvorc.mips.inka.de) Received: (from news@localhost) by lorvorc.mips.inka.de (8.16.1/8.16.1/Submit) id 30NLFv1P069652 for freebsd-security@freebsd.org; Mon, 23 Jan 2023 22:15:57 +0100 (CET) (envelope-from news) To: freebsd-security@freebsd.org From: Christian Weisgerber Newsgroups: list.freebsd.security Subject: Re: Can security/ca_root_nss be retired? Date: Mon, 23 Jan 2023 21:15:57 -0000 (UTC) Message-ID: References: <551458a3-665f-9f55-8ef9-1dd23e1e3aee@bluerosetech.com> User-Agent: slrn/1.0.3 (FreeBSD) X-Spamd-Result: default: False [-0.44 / 15.00]; AUTH_NA(1.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.64)[-0.645]; FORGED_SENDER(0.30)[naddy@mips.inka.de,news@mips.inka.de]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[inka.de]; MIME_TRACE(0.00)[0:+]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; R_DKIM_NA(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; ASN(0.00)[asn:202113, ipnet:2a04:c9c0::/29, country:DE]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[news]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; FROM_NEQ_ENVFROM(0.00)[naddy@mips.inka.de,news@mips.inka.de] X-Rspamd-Queue-Id: 4P130b31tWz3CLw X-Spamd-Bar: / X-ThisMailContainsUnwantedMimeParts: N List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org On 2023-01-19, Mel Pilgrim wrote: > Given /usr/share/certs exists for all supported releases, is there any > reason to keep the ca_root_nss port? Yes. net/openntpd does this: tls_load_file(tls_default_ca_cert_file(), ...) tls_default_ca_cert_file() is from security/libretls, where it is a wrapper around X509_get_default_cert_file() from OpenSSL. X509_get_default_cert_file() returns X509_CERT_FILE, which is defined to "/etc/ssl/cert.pem". I don't see a replacement in /usr/share/certs/. I used openntpd as an example, because that's a case I know, but presumably there are further instances in the ports tree. -- Christian "naddy" Weisgerber naddy@mips.inka.de