Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL)
Allan Jude
allanjude at freebsd.org
Fri Mar 4 17:24:22 UTC 2016
On 2016-03-04 12:20, Moritz Wilhelmy wrote:
> Hello,
>
> First off, I've been considering to report this as multiple bugs and it
> is a tough decision for me because I think there should be more internal
> discussion about what the project thinks about the official location for
> CA root certificate storage, so I'm sending this to the lists instead,
> and hoping I reach the right people. Please excuse any mistakes in this
> regard, I'm new on the lists.
>
> Is there a guideline or official stance regarding where software should
> look for the CA Root certificate store? If not, I think there should be.
>
> Tested on FreeBSD 10.1 with curl 7.47.0 and wget 1.16 with OpenSSL from
> the base system and no OpenSSL port installed.
>
> fetch
> =====
>
> fetch looks for CA root certificates in /usr/local/etc/ssl/certs, which
> seems counterintuitive given that it is part of the base system.
>
> Command used (for easy copy-pasting):
> $ truss fetch -o /dev/null https://cacert.org 2>&1 | grep ^open
>
> wget
> ====
>
> ftp/wget only looks at /etc/ssl/certs, which is again counterintuitive
> given that it's a 3rd party package installed via the ports framework.
>
> $ truss wget -O /dev/null https://cacert.org 2>&1 | grep ^open
>
> curl
> ====
>
> curl with the ca-root-nss option only looks at the file installed by
> that package that contains all NSS root certificates, but it completely
> ignores the CA certificate storage at /etc/ssl/certs as well as
> ${LOCALBASE}/etc/ssl/certs, instead it only ever looks at
> ${LOCALBASE}/share/certs/ca-root-nss.crt, where a sysadmin can't add
> certificates without their changes being overwritten by subsequent
> updates to the CA bundle package. (I've confirmed this via truss(1) but
> curl -v prints this path as well).
>
> I haven't tried recompiling curl without the option to see where it
> would look for root certificates.
>
> $ truss curl -o /dev/null https://cacert.org 2>&1 | grep ^open
>
>
> Best regards,
>
> Moritz
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
This recent patch may be of interest to you:
https://svnweb.freebsd.org/base/head/lib/libfetch/common.c?revision=294326&view=markup
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20160304/a37c53e7/attachment.sig>
More information about the freebsd-hackers
mailing list