From romain@blogreen.org  Fri Sep  2 09:56:12 2011
Return-Path: <romain@blogreen.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 171DF1065672
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  2 Sep 2011 09:56:12 +0000 (UTC)
	(envelope-from romain@blogreen.org)
Received: from marvin.blogreen.org (smortex-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:7c2::2])
	by mx1.freebsd.org (Postfix) with ESMTP id C8D028FC14
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  2 Sep 2011 09:56:11 +0000 (UTC)
Received: by marvin.blogreen.org (Postfix, from userid 1001)
	id E06781CC6B; Fri,  2 Sep 2011 11:56:10 +0200 (CEST)
Message-Id: <20110902095610.E06781CC6B@marvin.blogreen.org>
Date: Fri,  2 Sep 2011 11:56:10 +0200 (CEST)
From: Romain Tartiere <romain@FreeBSD.org>
Reply-To: Romain Tartiere <romain@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: security/ca_root_nss: Allow user to trust extra local certificates
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         160387
>Category:       ports
>Synopsis:       security/ca_root_nss: Allow user to trust extra local certificates
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    gecko
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 02 10:00:24 UTC 2011
>Closed-Date:    
>Last-Modified:  Thu Jan 31 19:40:00 UTC 2013
>Originator:     Romain Tartiere
>Release:        FreeBSD 8.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD marvin.blogreen.org 8.2-STABLE FreeBSD 8.2-STABLE #7 r222417: Sat May 28 13:23:35 CEST 2011 root@marvin.blogreen.org:/usr/obj/usr/src/sys/MARVIN amd64


	
>Description:

When building packages for multiple FreeBSD boxes that will access internal
resources using self-made certificates / other organisations certificates, it
would be handy to add these certificates to the generated file.  

This way, it is directly possible to use many programs (e.g. epiphany, curl)
without first editing this file by hand (or with some tools such as puppet).

Beyond the benefit of not having to tweak this file manually, 'pkg_info -g'
would not complain about mismatching files checksum unless something bad
happened.

>How-To-Repeat:

1. Have some domain protected by some self-made certificate or e.g. cacert
2. Install security/ca_root_nss and ftp/curl
3. curl https://some.domain.example.com/
  ** fails **
4. cat cert >> /usr/local/share/certs/ca-root-nss.crt
5. curl https://some.domain.example.com/
  ** success **

>Fix:

If the certificates are available at compile time, adding a feature to
'register' them along with the others is somewhat trivial:

--- ca_root_nss.patch begins here ---
--- Makefile.orig	2011-09-02 10:17:54.489639211 +0200
+++ Makefile	2011-09-02 10:22:48.659844571 +0200
@@ -69,6 +69,9 @@
 do-build:
 	@${PERL} ${WRKDIR}/ca-bundle.pl < ${WRKDIR}/certdata.txt > \
 	    ${WRKDIR}/ca-root-nss.crt
+.if defined(CA_ROOT_NSS_EXTRA_CERTS)
+	@${CAT} ${CA_ROOT_NSS_EXTRA_CERTS} >> ${WRKDIR}/ca-root-nss.crt
+.endif
 
 do-install:
 	${MKDIR} ${PREFIX}/${CERTDIR}
--- ca_root_nss.patch ends here ---

I don't think "regular" users would use that feature so maybe presenting an
OPTION is overkill.  But maybe a message saying to 'set CA_ROOT_NSS_EXTRA_CERTS
to the list of local certificates to trust' just before the build may be a
plus.

What is your opinion about such a feature?
Thanks!
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->brooks 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Fri Sep 2 10:00:39 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=160387 
Responsible-Changed-From-To: brooks->gecko 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Nov 20 23:23:46 UTC 2011 
Responsible-Changed-Why:  
Over to current maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=160387 

From: Jan Beich <jbeich@tormail.org>
To: Romain Tartiere <romain@FreeBSD.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/160387: security/ca_root_nss: Allow user to trust extra local certificates
Date: Fri, 01 Feb 2013 00:30:34 +0500

 Romain Tartiere <romain@FreeBSD.org> writes:
 
 > 1. Have some domain protected by some self-made certificate or e.g. cacert
 > 2. Install security/ca_root_nss and ftp/curl
 > 3. curl https://some.domain.example.com/
 >   ** fails **
 > 4. cat cert >> /usr/local/share/certs/ca-root-nss.crt
 > 5. curl https://some.domain.example.com/
 >   ** success **
 
 This mostly depends on the app e.g.,
 
 - openssl(1) only uses CA certs with -CApath or -CAfile
 - subversion (neon), lynx, etc. call SSL_CTX_set_default_verify_paths()
 - curl (openssl) hardcodes either /etc/ssl/certs/ or
   ${LOCALBASE}/share/certs/ca-root-nss.crt (CA_BUNDLE option)
 - curl (gnutls) hardcodes /etc/ssl/cert.pem
 - epiphany2 (gnutls?) accepts self-signed certificates without
   warning but otherwise hardcodes path to ca-root-nss.crt
 - firefox and chromium use hardcode CA certs into libnssckbi.so from a
   bundled copy of certdata.txt in nss port (not ca_root_nss)
 
 and a bit more detailed
 
   # add a shared self-signed certificate
   $ mkdir /etc/ssl/certs; cd /etc/ssl/certs
   $ openssl s_client -connect trillian.chruetertee.ch:https </dev/null 2>&0 |
     sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
     openssl x509 -text -fingerprint >freebsd-gecko.crt
   $ ln -sf freebsd-gecko.crt $(openssl x509 -hash -noout -in freebsd-gecko.crt).0
 
   $ openssl s_client -connect trillian.chruetertee.ch:https -CApath /var/empty
   ...
         Verify return code: 0 (ok)
   
   $ curl https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
   <?xml version="1.0"?>
   ...
 
   $ HOME=/var/empty svn ls https://trillian.chruetertee.ch/svn/freebsd-gecko/trunk/
   Gecko_ChangeLog
   Gecko_TODO
   Mk/
   devel/
   mail/
   security/
   www/
 
 It may be worth to look at how other distros tried to solve the mess.
 
 https://fedoraproject.org/wiki/FedoraCryptoConsolidation
 http://en.opensuse.org/SDB:Share_certificates_between_applications_or_whole_system
>Unformatted:
