RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Glen Barber
gjb at FreeBSD.org
Thu Jul 3 03:29:38 UTC 2014
On Wed, Jul 02, 2014 at 04:45:53PM -0700, Xin Li wrote:
> Hi,
>
> Currently, FreeBSD does not install a default /etc/ssl/cert.pem
> because we do not maintain one ourselves. We do, however, provide a
> port, security/ca_root_nss, which have an option to install a symbolic
> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,
> which is not the default option.
>
> This become a problem when applications, e.g. fetch(8), have grown the
> support of doing certificate validation. I think now it makes sense
> to have a default cert.pem installed with the base system.
>
> So my proposal would be:
>
> 1. Import a set of trusted root certificates, and install if
> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem;
>
> 2. In src/etc/Makefile, automatically create a symbolic link if it's
> not already present in ${DESTDIR}/etc/ssl;
>
> 3. Teach mergemaster(8) and other similar applications to create the
> symbolic link on demand;
>
> 4. Change the install/deinstall behavior of security/ca_root_nss:
> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on
> install then overwrite with new symlink, and restore on deinstall.
> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist,
> install new a symlink; on deinstall, if
> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a
> symlink to there, or remove if the file does not exist.
>
> Comments/objections?
>
No objection from me, personally, on the re@ side. In the longer term,
it would avoid needing to install the security/ca_root_nss port
explicitly for a few things for which they will be needed for 10.1 and
11.0 releases.
I do not, however, believe this is suitable to target for 9.3-RELEASE.
Glen
With hat: re@
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140702/3f89ef76/attachment.sig>
More information about the freebsd-security
mailing list