Re: ports/160387: security/ca_root_nss: Allow user
to trust extra local certificates



The following reply was made to PR ports/160387; it has been noted by GNATS.

From: Jan Beich <jbeich@xxxxxxxxxxx>
To: Romain Tartiere <romain@xxxxxxxxxxx>
Cc: bug-followup@xxxxxxxxxxx
Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra
local certificates
Date: Fri, 01 Feb 2013 00:30:34 +0500

Romain Tartiere <romain@xxxxxxxxxxx> writes:

> 1. Have some domain protected by some self-made certificate or e.g. cacert
> 2. Install security/ca_root_nss and ftp/curl
> 3. curl https://some.domain.example.com/
> ** fails **
> 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt
> 5. curl https://some.domain.example.com/
> ** success **

This mostly depends on the app e.g.,

- openssl(1) only uses CA certs with -CApath or -CAfile
- subversion (neon), lynx, etc. call SSL_CTX_set_default_verify_paths()
- curl (openssl) hardcodes either /etc/ssl/certs/ or
${LOCALBASE}/share/certs/ca-root-nss.crt (CA_BUNDLE option)
- curl (gnutls) hardcodes /etc/ssl/cert.pem
- epiphany2 (gnutls?) accepts self-signed certificates without
warning but otherwise hardcodes path to ca-root-nss.crt
- firefox and chromium use hardcode CA certs into libnssckbi.so from a
bundled copy of certdata.txt in nss port (not ca_root_nss)

and a bit more detailed

# add a shared self-signed certificate
$ mkdir /etc/ssl/certs; cd /etc/ssl/certs
$ openssl s_client -connect trillian.chruetertee.ch:https </dev/null 2>&0 |
sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
openssl x509 -text -fingerprint >freebsd-gecko.crt
$ ln -sf freebsd-gecko.crt $(openssl x509 -hash -noout -in
freebsd-gecko.crt).0
>
$ openssl s_client -connect trillian.chruetertee.ch:https -CApath /var/empty
...
Verify return code: 0 (ok)

$ curl https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
<?xml version="1.0"?>
...

$ HOME=/var/empty svn ls
https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
Gecko_ChangeLog
Gecko_TODO
Mk/
devel/
mail/
security/
www/

It may be worth to look at how other distros tried to solve the mess.

https://fedoraproject.org/wiki/FedoraCryptoConsolidation

http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_system
_______________________________________________
freebsd-gecko@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-gecko
To unsubscribe, send any mail to "freebsd-gecko-unsubscribe@xxxxxxxxxxx"



Privacy