ports/160387: security/ca_root_nss: Allow user to trust extra local certificates
Jan Beich
jbeich at tormail.org
Thu Jan 31 19:40:01 UTC 2013
The following reply was made to PR ports/160387; it has been noted by GNATS.
From: Jan Beich <jbeich at tormail.org>
To: Romain Tartiere <romain at FreeBSD.org>
Cc: bug-followup at freebsd.org
Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates
Date: Fri, 01 Feb 2013 00:30:34 +0500
Romain Tartiere <romain at FreeBSD.org> writes:
> 1. Have some domain protected by some self-made certificate or e.g. cacert
> 2. Install security/ca_root_nss and ftp/curl
> 3. curl https://some.domain.example.com/
> ** fails **
> 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt
> 5. curl https://some.domain.example.com/
> ** success **
This mostly depends on the app e.g.,
- openssl(1) only uses CA certs with -CApath or -CAfile
- subversion (neon), lynx, etc. call SSL_CTX_set_default_verify_paths()
- curl (openssl) hardcodes either /etc/ssl/certs/ or
${LOCALBASE}/share/certs/ca-root-nss.crt (CA_BUNDLE option)
- curl (gnutls) hardcodes /etc/ssl/cert.pem
- epiphany2 (gnutls?) accepts self-signed certificates without
warning but otherwise hardcodes path to ca-root-nss.crt
- firefox and chromium use hardcode CA certs into libnssckbi.so from a
bundled copy of certdata.txt in nss port (not ca_root_nss)
and a bit more detailed
# add a shared self-signed certificate
$ mkdir /etc/ssl/certs; cd /etc/ssl/certs
$ openssl s_client -connect trillian.chruetertee.ch:https </dev/null 2>&0 |
sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
openssl x509 -text -fingerprint >freebsd-gecko.crt
$ ln -sf freebsd-gecko.crt $(openssl x509 -hash -noout -in freebsd-gecko.crt).0
$ openssl s_client -connect trillian.chruetertee.ch:https -CApath /var/empty
...
Verify return code: 0 (ok)
$ curl https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
<?xml version="1.0"?>
...
$ HOME=/var/empty svn ls https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
Gecko_ChangeLog
Gecko_TODO
Mk/
devel/
mail/
security/
www/
It may be worth to look at how other distros tried to solve the mess.
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_system
More information about the freebsd-gecko
mailing list