On 7/2/2014 8:55 PM, Bryan Drewery wrote:
> On 7/2/2014 6:45 PM, Xin Li wrote:
>> Hi,
>>
>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
>> because we do not maintain one ourselves. We do, however, provide a
>> port, security/ca_root_nss, which have an option to install a symbolic
>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
>> which is not the default option.
>>
>> This become a problem when applications, e.g. fetch(8), have grown the
>> support of doing certificate validation. I think now it makes sense
>> to have a default cert.pem installed with the base system.
>>
>> So my proposal would be:
>>
>> 1. Import a set of trusted root certificates, and install if
>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>>
>> 2. In src/etc/Makefile, automatically create a symbolic link if it's
>> not already present in ${DESTDIR}/etc/ssl;
>>
>> 3. Teach mergemaster(8) and other similar applications to create the
>> symbolic link on demand;
>>
>> 4. Change the install/deinstall behavior of security/ca_root_nss:
>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
>> install then overwrite with new symlink, and restore on deinstall.
>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
>> install new a symlink; on deinstall, if
>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
>> symlink to there, or remove if the file does not exist.
>>
>> Comments/objections?
>>
>> Cheers,
>
> Please see r266291.
>
> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.
>
> The next step was to have the port always install the symlink there.
> It's fallen through the cracks though.
>
> This only allows fixing applications that use libfetch though and not
> other applications that expect a /etc/ssl/cert.pem like curl.This seems to have been dropped. We do need some sort of solution though. I've found that curl already does the right thing and looking at the proper /usr/local location for the ca_root_nss bundle due to being configured in the curl port to do so. The remaining piece IMHO would be fixing base openssl to look for /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port currently looks in /usr/local/openssl by default and not /etc/ssl. Here is a patch for the port to check /usr/local/etc/ssl first: https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-pem.diff And a patch for base libcrypto to check /usr/local/etc/ssl first: https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-pem.diff These allow things like wget to work by default once ca_root_nss is installed with the /usr/local/etc/ssl/cert.pem symlink. As for installing a CA root bundle by default, we could just bootstrap it along with pkg from ca_root_nss. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
