Date: Fri, 22 Sep 2023 07:57:27 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certs Message-ID: <bug-274016-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274016 Bug ID: 274016 Summary: certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certs Product: Base System Version: 12.4-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: michael.osipov@siemens.com While discussing Bug 269473 me and others discovered that it is an abuse of /usr/local/etc/ssl/certs and likely /usr/local/etc/ssl/blacklisted. certctl(8) defines the following input directories: > TRUSTPATH List of paths to search for trusted certificates. > Default: <DESTDIR>/usr/share/certs/trusted > <DESTDIR>/usr/local/share/certs > <DESTDIR>/usr/local/etc/ssl/certs >=20 > BLACKLISTPATH List of paths to search for blacklisted certificat= es. > Default: <DESTDIR>/usr/share/certs/blacklisted > <DESTDIR>/usr/local/etc/ssl/blacklisted TRUSTPATH: <DESTDIR>/usr/local/etc/ssl/certs When any OpenSSL derivate is installed from ports, is expects that its reha= sh algorithm puts hashed links to /usr/local/etc/ssl/certs. This is not suppos= ed to be an input directory to another hashing process, but solely output to p= orts hashing and input for any ports OpenSSL derivate. An implementation detail = so to speak. The actual subject hashing is an implementation detail and not publically documented unless you read the source code. In that spirit, this dir should be deprecated and removed w/o replacement s= ince we have <DESTDIR>/usr/local/share/certs for custom certs beyond base. BLACKLISTPATH: <DESTDIR>/usr/local/etc/ssl/blacklisted. This is logically identical to the above. /usr/local/etc/ssl serves as OPENSSLDIR. The actual, logical path should be <DESTDIR>/usr/local/share/certs/blacklisted. Identic= al approach, introduce new one, deprecate and remove old one. I am certain that I have discussed this to some degree with Kyle Evans (kevans@), but he has left the topic, unfortunately. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274016-227>