SSL is broken on FreeBSD

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Apr 2 08:45:12 UTC 2011 

On 02/04/2011 00:30, Chad Perrin wrote:
> I don't think that either of the two options currently under discussion
> (quietly provide a "trusted" CA list or quietly failing to provide one)
> is optimal.  In the best-case scenario, I guess there would be some
> self-evident system for letting the user choose what to use, if anything,
> giving a very brief, glancing explanation of the meaning of trust in this
> circumstance.  Failing that -- given the options currently available to
> us without writing more software to do it differently in a way that's
> compatible with how we manage our OSes -- I don't much care whether a
> list of "trusted" CAs is included or not.  The important thing here is
> knowledge, and both approaches under discussion fail to impart any
> knowledge upon the user, so it's six of one and half a dozen of the
> other.
> 
> I'm open to being convinced it really matters, though, if someone has an
> argument more compelling than Istvan's.
> 
> (This ignores the notion that there are simply better ways to validate
> certs than via CA trust, which is a somewhat separate issue.)

There's a point here that no-one has explored.

Yes, FireFox, Chrome, IE all come with a pre-configured list of trusted
CAs.  That is the list of CAs that those vendors think their users
should trust /to validate websites/.  This is a solution (maybe not a
particularly satisfying one) for the problem of establishing trust
between a site and a potentially very large audience of subscribers
without having to have some sort of individual verification procedure
between each user and the site: something which is clearly impractical.

What are the applications[*] that a central CA store provided by the
openssl libraries are supposed to provide validation for?  Well, it
could be anything that uses SSL/TLS.  Why should we assume that it is
appropriate to trust the same set of CAs as are used to validate
websites?  Much of the time, that is exactly what you don't want to do
-- frequently you only want to trust a small private group, where you
know all the other parties already.  In this case, having system updates
gratuitously install some other set of CA certs is a gross security
violation.

FreeBSD doesn't assume anything much about the way anyone is going to
use it.  This comes as a bit of a shock to many users of other OSes, who
are used to something much more pre-configured to specific use cases.
This is a gap that PC-BSD fills.  Personally, I'd be quite happy
describing PC-BSD as a "distro" of FreeBSD aimed at desktop users,
although I don't know what the PC-BSD folks would think of that.

	Cheers

	Matthew

[*] In fact, most applications that use SSL/TLS will have their own
facilities for keeping a chain of trusted CAs outside /etc/ssl.

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110402/2d2ef9a6/signature.pgp

More information about the freebsd-security mailing list