[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certs
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 22 Sep 2023 07:57:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274016 Bug ID: 274016 Summary: certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certs Product: Base System Version: 12.4-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: michael.osipov@siemens.com While discussing Bug 269473 me and others discovered that it is an abuse of /usr/local/etc/ssl/certs and likely /usr/local/etc/ssl/blacklisted. certctl(8) defines the following input directories: > TRUSTPATH List of paths to search for trusted certificates. > Default: <DESTDIR>/usr/share/certs/trusted > <DESTDIR>/usr/local/share/certs > <DESTDIR>/usr/local/etc/ssl/certs > > BLACKLISTPATH List of paths to search for blacklisted certificates. > Default: <DESTDIR>/usr/share/certs/blacklisted > <DESTDIR>/usr/local/etc/ssl/blacklisted TRUSTPATH: <DESTDIR>/usr/local/etc/ssl/certs When any OpenSSL derivate is installed from ports, is expects that its rehash algorithm puts hashed links to /usr/local/etc/ssl/certs. This is not supposed to be an input directory to another hashing process, but solely output to ports hashing and input for any ports OpenSSL derivate. An implementation detail so to speak. The actual subject hashing is an implementation detail and not publically documented unless you read the source code. In that spirit, this dir should be deprecated and removed w/o replacement since we have <DESTDIR>/usr/local/share/certs for custom certs beyond base. BLACKLISTPATH: <DESTDIR>/usr/local/etc/ssl/blacklisted. This is logically identical to the above. /usr/local/etc/ssl serves as OPENSSLDIR. The actual, logical path should be <DESTDIR>/usr/local/share/certs/blacklisted. Identical approach, introduce new one, deprecate and remove old one. I am certain that I have discussed this to some degree with Kyle Evans (kevans@), but he has left the topic, unfortunately. -- You are receiving this mail because: You are the assignee for the bug.