Page MenuHomeFreeBSD

*: switch ports to USES=caroot
AbandonedPublic

Authored by kevans on Aug 11 2021, 3:27 AM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 26 2024, 3:51 PM
Unknown Object (File)
Oct 26 2024, 3:48 PM
Unknown Object (File)
Oct 26 2024, 3:29 PM
Unknown Object (File)
Oct 19 2024, 11:21 PM
Unknown Object (File)
Oct 6 2024, 1:40 PM
Unknown Object (File)
Oct 5 2024, 5:47 PM
Unknown Object (File)
Oct 4 2024, 10:04 PM
Unknown Object (File)
Oct 4 2024, 4:38 PM
Subscribers

Details

Reviewers
adamw
michaelo
Group Reviewers
portmgr
Summary

This is 95% of the ports that currently use ca_root_nss. Some have a
CA_BUNDLE option that I've not yet touched, because... it's not clear to
me what we want to do there, or if the options can just be
dropped/replaced.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 40977
Build 37866: arc lint + arc unit

Event Timeline

dns/libasr-devel/Makefile
17

It looks like the ca_root_nss dependency was removed from libasr-devel/Makefile, but caroot wasn't added to USES. The CA_BUNDLE option switched the default CA location to ${LOCALBASE}, but without USES=caroot, /etc/ssl/cert.pem will be a stub on pre-certctl machines.

mail/mpop/Makefile
48

mail/mpop/Makefile doesn't have USES=caroot. Will that not just be a stub on older machines?

michaelo requested changes to this revision.EditedAug 11 2021, 8:21 AM

Awesome to see this! Thank you Kyle.

I do not fully understand the purpose of caroot here for the following reasoning:

  • I cannot find caroot in /usr/ports/Mk. How is this supposed to work?
  • If an application uses OpenSSL from base and calls SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir() or any other TLs implementation which is reads /etc/ssl/certs by default it will work out of the box.
  • If an application does not call SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir(), but uses SSL_CTX_load_verify_locations() with the hardcoded location of ca_root_nss there is no way for us to know w/o looking into the code.
  • If an application uses OpenSSL from ports, the following applies and there is no trust store. Same applies for libressl/libressl-devel.

Here are two similar issues related to trust stores: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256902

OpenSSL from ports:
OPENSSLDIR: "/usr/local/openssl"

LibreSSL:
OPENSSLDIR: "/usr/local/etc/ssl"

This revision now requires changes to proceed.Aug 11 2021, 8:21 AM
In D31497#710068, @1983-01-06_gmx.net wrote:

Awesome to see this! Thank you Kyle.

I do not fully understand the purpose of caroot here for the following reasoning:

  • I cannot find caroot in /usr/ports/Mk. How is this supposed to work?

The answer to this question answers most of your others, see here: https://reviews.freebsd.org/D31487; it's entirely "pull in the dependency on FreeBSD versions that don't have a root trust store installed in base"

  • If an application uses OpenSSL from base and calls SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir() or any other TLs implementation which is reads /etc/ssl/certs by default it will work out of the box.
  • If an application does not call SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir(), but uses SSL_CTX_load_verify_locations() with the hardcoded location of ca_root_nss there is no way for us to know w/o looking into the code.
  • If an application uses OpenSSL from ports, the following applies and there is no trust store. Same applies for libressl/libressl-devel.

Here are two similar issues related to trust stores: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256902

OpenSSL from ports:
OPENSSLDIR: "/usr/local/openssl"

LibreSSL:
OPENSSLDIR: "/usr/local/etc/ssl"

I'll circle back on the rest within a couple days... this patch still needs a bit of fine-tuning.

@kevans , can you close this one as it has been obsoleted?

No longer relevant; all supported versions have certctl and a root trust store.