2015-07-30 20:16 GMT+03:00 Stuart Henderson <s...@spacehopper.org>: > On 2015-07-30, Ted Unangst <t...@tedunangst.com> wrote: >> Michael McConville wrote: >>> > Another meat could be, why you're using self-signed certificates? >>> > Given the plethora of options for getting free (valid) certificates. >>> >>> He mentioned in his original email that it's a requirement where he >>> works. That's common, from what I hear, although probably not the >>> safest. >> >> I would consider a cert signed by somebody I actually trust (me) safer than >> delegating that trust to 300 strangers. > > I think cert.pem should move to the etc set, so you can remove > CAs from the file (as well as add new ones) without risk of those > changes getting reverted. > > Downside: CA changes will then only take effect after running > sysmerge. Is that a problem?
I think it is. This is the same as with /etc/examples: less stuff to merge, less errors to happen. I'd ask another question: why can't software use /etc/ssl/myown.pem, or /etc/ssl/*.pem, ever, instead of /etc/ssl/cert.pem? This will make "trust" and "untrust" operations as simple as possible. Noone in healthy mind would place junk in /etc/ssl anyway, right? Or we may ship /etc/ssl/base.pem in base tgz, and install /etc/ssl/cert.pem -> base.pem at installation time. This way things will work by default, and if you need to have your own trust path, you just change symlink. What do you think? > Index: base/mi > =================================================================== > RCS file: /cvs/src/distrib/sets/lists/base/mi,v > retrieving revision 1.716 > diff -u -p -r1.716 mi > --- base/mi 16 Jul 2015 21:28:06 -0000 1.716 > +++ base/mi 30 Jul 2015 17:14:15 -0000 > @@ -221,7 +221,6 @@ > ./etc/skel/.ssh > ./etc/ssh > ./etc/ssl > -./etc/ssl/cert.pem > ./etc/ssl/lib > ./etc/ssl/private > ./etc/systrace > Index: etc/mi > =================================================================== > RCS file: /cvs/src/distrib/sets/lists/etc/mi,v > retrieving revision 1.199 > diff -u -p -r1.199 mi > --- etc/mi 3 Jul 2015 22:52:52 -0000 1.199 > +++ etc/mi 30 Jul 2015 17:14:15 -0000 > @@ -42,6 +42,7 @@ > ./etc/spwd.db > ./etc/ssh/ssh_config > ./etc/ssh/sshd_config > +./etc/ssl/cert.pem > ./etc/ssl/openssl.cnf > ./etc/ssl/x509v3.cnf > ./etc/syslog.conf -- WBR, Vadim Zhukov
