Using bidirectional authentication in pkgng

Michael Gmelin freebsd at grem.de
Sun Mar 31 00:45:03 UTC 2013


On Fri, 18 Jan 2013 20:55:40 +0000
Matthew Seaman <m.seaman at infracaninophile.co.uk> wrote:

> On 18/01/2013 02:57, Michael Gmelin wrote:
>
> > c. libfetch really needs to get fixed to allow certificate
> > verification in its fetchX* and fetchHTTP* functions when using
> > HTTPS. fetch(3) is based on it and there is no indication anywhere
> > whatsoever that no checks are done at all (none of the libfetch or
> > fetch utility man pages mention it).
> 
> This would be useful functionality to add to libfetch.  However,
> support for DANE (RFC 6698) would be even better, IMHO.
> 

Hi Matthew,

I implemented all the bits necessary back in January and discussed the
patch with Dag at length. The final result was (well, IMHO) quite
satisfactory, but then I got distracted by a couple of very tight
deadlines until early March. I mailed the latest version of the patch
to Dag, but didn't receive any feedback yet - it's been only a few weeks
though.

From my perspective the patch is complete, since all the features
I intended to implement have been implemented and tested according to
the relevant RFCs. Adding DANE, like you suggested, would be great,
but I don't have the time to acquire the expertise required right now.
Plus implementing it is not a replacement for supporting a "traditional"
SSL CA infrastructure.

You can fetch the latest version of the patch at
http://blog.grem.de/libfetch_20130307.patch

(I didn't bother adding it to kern/175514, since AFAIK patches
containing UTF-8 characters are still broken in the PR system).

I wrote a tutorial, available at http://goo.gl/tW7P3 [1], on how to
actually take advantage of the features provided by the patch in a
fully trusted and bidirectionally authenticated pkgng setup, I hope
this useful to somebody else. We'll roll out a very similar setup on
all of our servers in the near future.

I'd like to see the patches to libfetch/fetch make it to base, since I
think these features just have to be in there, regardless of what you
think of traditional PKI infrastructures.

Cheers,
Michael

[1]
http://blog.grem.de/sysadmin/Trusted-Package-Distribution-With-pkgng-2013-03-30.html

-- 
Michael Gmelin


More information about the freebsd-ports mailing list