RFC: Proposal: Install a /etc/ssl/cert.pem by default?

Bryan Drewery bdrewery at FreeBSD.org
Thu Jul 3 01:55:17 UTC 2014 

+portmgr

On 7/2/2014 6:45 PM, Xin Li wrote:
> Hi,
> 
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves.  We do, however, provide a
> port, security/ca_root_nss, which have an option to install a symbolic
> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
> which is not the default option.
> 
> This become a problem when applications, e.g. fetch(8), have grown the
> support of doing certificate validation.  I think now it makes sense
> to have a default cert.pem installed with the base system.
> 
> So my proposal would be:
> 
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
> 
> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
> 
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
> 
> 4. Change the install/deinstall behavior of security/ca_root_nss:
>    ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
>    ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.
> 
> Comments/objections?
> 
> Cheers,

Please see r266291.

libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.

The next step was to have the port always install the symlink there.
It's fallen through the cracks though.

This only allows fixing applications that use libfetch though and not
other applications that expect a /etc/ssl/cert.pem like curl. I have no
qualms about making security/ca_root_nss *always* install a symlink into
/usr/local/etc/ssl, but touching base system is not usually proper for a
port. There is this vague idea floating around that for package
building, ports should never touch the base system (except /var/db or
/var/games or /etc/*passwd*) and / should otherwise be read-only. This
has not become a reality or had much discussion yet, though we do frown
on overwriting base and touching base already. For example, the perl
symlink in /usr/bin is phased out.

I like the idea of the base system installing a symlink from
/etc/ssl/cert.pem to *somewhere*.

I like the idea of secteam maintaining a ca-root-freebsd.pem even
better, as long as you are willing to.

IMHO always install it, don't depend on MK_OPENSSL. Is the file actually
specific to OpenSSL? Ports would love to have it be available all the
time regardless of SSL library choices.

-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140702/b1df48d8/attachment.sig>

More information about the freebsd-security mailing list