RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Dag-Erling Smørgrav
des at des.no
Sat Oct 25 19:21:27 UTC 2014
Reviving this discussion because it was never resolved.
Xin Li <delphij at delphij.net> writes:
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves. [...] So my proposal would
> be:
>
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
At a minimum, we need the certificate chain for all freebsd.org
certificates.
> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>
> 4. Change the install/deinstall behavior of security/ca_root_nss:
> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.
I would prefer to have each port install their certificate lists in a
"hidden" location which is then added to the search path using c_rehash.
This may require changing libfetch and various applications to pass a
path to SSL_CTX_load_verify_locations() instead of or in addition to a
file.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-gecko
mailing list