[Bug 283161] security/ca_root_nss: handle bundle links consistently for ETCSYMLINK

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 06 Dec 2024 09:24:30 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283161

            Bug ID: 283161
           Summary: security/ca_root_nss: handle bundle links consistently
                    for ETCSYMLINK
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://reviews.freebsd.org/D47908
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: franco@opnsense.org
          Assignee: ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)

Hi,

Due to code audits and reviews the topic of default bundle location handling
was brought up.  The bundles are less interesting today with certctl but since
the option is still the default I want to straighten out the behaviour.

* Treat /usr/local/openssl/cert.pem the same as /etc/ssl/cert.pem under
ETCSYMLINK use and avoid its creation when the option is off.
* Remove /usr/local/openssl/cert.pem.sample to match the behaviour of
/etc/ssl/cert.pem
* To allow consistent override of all locations point the symlinks to
/usr/local/etc/ssl/cert.pem instead of /usr/local/etc/ssl/cert.pem.sample

I'm happy to draft an UPDATING entry and adjust pkg-message accordingly. There
are intentional behavioural changes at the benefit of easier user-based
handling of /usr/local/etc/ssl/cert.pem modification.  For non-modified
deployments the resulting behaviour is still the same.

Review link: https://reviews.freebsd.org/D47908


Thanks,
Franco

-- 
You are receiving this mail because:
You are the assignee for the bug.