RFC: Proposal: Install a /etc/ssl/cert.pem by default?

Wed Oct 1 20:59:03 UTC 2014

On 7/2/2014 8:55 PM, Bryan Drewery wrote:
> On 7/2/2014 6:45 PM, Xin Li wrote:
>> Hi,
>>
>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
>> because we do not maintain one ourselves.  We do, however, provide a
>> port, security/ca_root_nss, which have an option to install a symbolic
>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
>> which is not the default option.
>>
>> This become a problem when applications, e.g. fetch(8), have grown the
>> support of doing certificate validation.  I think now it makes sense
>> to have a default cert.pem installed with the base system.
>>
>> So my proposal would be:
>>
>> 1. Import a set of trusted root certificates, and install if
>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>>
>> 2. In src/etc/Makefile, automatically create a symbolic link if it's
>> not already present in ${DESTDIR}/etc/ssl;
>>
>> 3. Teach mergemaster(8) and other similar applications to create the
>> symbolic link on demand;
>>
>> 4. Change the install/deinstall behavior of security/ca_root_nss:
>>    ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
>> install then overwrite with new symlink, and restore on deinstall.
>>    ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
>> install new a symlink; on deinstall, if
>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
>> symlink to there, or remove if the file does not exist.
>>
>> Comments/objections?
>>
>> Cheers,
> 
> Please see r266291.
> 
> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.
> 
> The next step was to have the port always install the symlink there.
> It's fallen through the cracks though.
> 
> This only allows fixing applications that use libfetch though and not
> other applications that expect a /etc/ssl/cert.pem like curl.

This seems to have been dropped. We do need some sort of solution though.

I've found that curl already does the right thing and looking at the
proper /usr/local location for the ca_root_nss bundle due to being
configured in the curl port to do so.

The remaining piece IMHO would be fixing base openssl to look for
/usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port currently
looks in /usr/local/openssl by default and not /etc/ssl.

Here is a patch for the port to check /usr/local/etc/ssl first:

https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-pem.diff

And a patch for base libcrypto to check /usr/local/etc/ssl first:

https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-pem.diff

These allow things like wget to work by default once ca_root_nss is
installed with the /usr/local/etc/ssl/cert.pem symlink.

As for installing a CA root bundle by default, we could just bootstrap
it along with pkg from ca_root_nss.

-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141001/b5caeb2e/attachment.sig>