RFC: Proposal: Install a /etc/ssl/cert.pem by default?

Xin Li delphij at delphij.net
Wed Jul 2 23:45:59 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Currently, FreeBSD does not install a default /etc/ssl/cert.pem
because we do not maintain one ourselves.  We do, however, provide a
port, security/ca_root_nss, which have an option to install a symbolic
link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
which is not the default option.

This become a problem when applications, e.g. fetch(8), have grown the
support of doing certificate validation.  I think now it makes sense
to have a default cert.pem installed with the base system.

So my proposal would be:

1. Import a set of trusted root certificates, and install if
MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;

2. In src/etc/Makefile, automatically create a symbolic link if it's
not already present in ${DESTDIR}/etc/ssl;

3. Teach mergemaster(8) and other similar applications to create the
symbolic link on demand;

4. Change the install/deinstall behavior of security/ca_root_nss:
   ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
install then overwrite with new symlink, and restore on deinstall.
   ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
install new a symlink; on deinstall, if
/usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
symlink to there, or remove if the file does not exist.

Comments/objections?

Cheers,
- -- 
Xin LI <delphij at delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJTtJmxAAoJEJW2GBstM+nsGoQQAJ8Ntso43Lz5YiwVVoar4BsZ
2d5YCv9ODyIVTHQMqz1lOP51NxzgvNPY4Ycdez0CEK8Az4VSSdouQJoBHRp70nCR
1ulMlZ06SXp8EcvPkDHFJC+1CbYu7ezSwgXLndj+7nOtXqr2t12/EccT40+YRNMN
zCUTHDWSdiuwNL9TLzDmyEO1oCcgej+zY5rSbVHiUWLQPUPG2ffvaddKCggJoRpp
rV/35H7aYNB1LzBpUp0/wisXvNrkXQh4YcH0e2Z7ILwn6GImE8gWex1hi0yndDeW
7wg+0e4HnwrjZrvNCqeggO+7owCYjE4mnb1qexBTrjvkeAKSjTvkiJzrS14S7yO2
Zj2d9S6504M/28i7+QdzANTrqD6yig6HHT5uL6MiSCnaW6G9+mjVB0OljXHCBARg
hFtKUxuVJFDANrbs5AmMwA3euLVHUuPtBL/t+yLSoobdVdvTcukftl7i6l86GDlw
rVyl57KLSwInAWZLox0+oPXacEwBYk/K0W1VdmbanLO8q2rdNDD5sKJP2I278LjT
wYGgjBOWuNfQTAKK13NMrat8DyvMM6lj5fhKkTDrKU6gEwoDeWsOsc5zKF2+lEGU
9nBi0Ll8jaQ3DBlOJcYa6VZMrgBe6dMRxhus0fVQYX8VKpezTwGGWh7Mdb+AJJxx
DN4UDkFEYreAP4szDYHC
=zwfk
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list