[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certs

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274016] certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 22 Sep 2023 07:57:27 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274016

            Bug ID: 274016
           Summary: certctl(8): deprecate and remove usage of
                    <DESTDIR>/usr/local/etc/ssl/certs and
                    <DESTDIR>/usr/local/etc/ssl/blacklisted as source for
                    custom CA certs
           Product: Base System
           Version: 12.4-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: michael.osipov@siemens.com

While discussing Bug 269473 me and others discovered that it is an abuse of
/usr/local/etc/ssl/certs and likely /usr/local/etc/ssl/blacklisted.

certctl(8) defines the following input directories:
>      TRUSTPATH         List of paths to search for trusted certificates.
>                        Default: <DESTDIR>/usr/share/certs/trusted
>                        <DESTDIR>/usr/local/share/certs
>                        <DESTDIR>/usr/local/etc/ssl/certs
> 
>      BLACKLISTPATH     List of paths to search for blacklisted certificates.
>                        Default: <DESTDIR>/usr/share/certs/blacklisted
>                        <DESTDIR>/usr/local/etc/ssl/blacklisted

TRUSTPATH: <DESTDIR>/usr/local/etc/ssl/certs
When any OpenSSL derivate is installed from ports, is expects that its rehash
algorithm puts hashed links to /usr/local/etc/ssl/certs. This is not supposed
to be an input directory to another hashing process, but solely output to ports
hashing and input for any ports OpenSSL derivate. An implementation detail so
to speak. The actual subject hashing is an implementation detail and not
publically documented unless you read the source code.
In that spirit, this dir should be deprecated and removed w/o replacement since
we have <DESTDIR>/usr/local/share/certs for custom certs beyond base.

BLACKLISTPATH: <DESTDIR>/usr/local/etc/ssl/blacklisted. This is logically
identical to the above. /usr/local/etc/ssl serves as OPENSSLDIR. The actual,
logical path should be <DESTDIR>/usr/local/share/certs/blacklisted. Identical
approach, introduce new one, deprecate and remove old one.

I am certain that I have discussed this to some degree with Kyle Evans
(kevans@), but he has left the topic, unfortunately.

-- 
You are receiving this mail because:
You are the assignee for the bug.