Page MenuHomeFreeBSD

libfetch: test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH
ClosedPublic

Authored by john_saltant.com on Jan 3 2016, 11:44 PM.

Details

Reviewers
bapt
des
Summary

Prior to this patch, unless SSL_CA_CERT_FILE is set in the environment, libfetch will set the CA file to "/usr/local/etc/cert.pem" if it exists, and to "/etc/ssl/cert.pem" otherwise. This has the consequence of masking SSL_CA_CERT_PATH, because OpenSSL will ignore the CA path if a CA file is set but fails to load (see X509_STORE_load_locations()).

While here, fall back to OpenSSL defaults if neither SSL_CA_CERT_FILE nor SSL_CA_CERT_PATH are set in the environment, and if neither of the libfetch default CA files exists.

Test Plan

Verify by test, with the help of truss, DTrace, or equivalent, that an invocation of fetch(1) accesses CA cert paths and files as intended along each of the following degrees of freedom.

  1. "/usr/local/etc/ssl/cert.pem" and "/etc/ssl/cert.pem" exist or not
  2. SSL_CA_CERT_FILE is set or not (affects libfetch)
  3. SSL_CA_CERT_PATHis set or not (affects libfetch)
  4. SSL_CERT_FILE is set or not (affects libcrypto)
  5. SSL_CERT_DIR is set or not (affects libcrypto)

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

john_saltant.com retitled this revision from to libfetch: test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH.
john_saltant.com updated this object.
john_saltant.com edited the test plan for this revision. (Show Details)
john_saltant.com added a reviewer: des.
john_saltant.com set the repository for this revision to rS FreeBSD src repository.
john_saltant.com added a project: security.
john_saltant.com added a subscriber: koobs.
john_saltant.com edited the test plan for this revision. (Show Details)Jan 4 2016, 12:55 PM
bapt accepted this revision.Jan 19 2016, 3:04 PM
bapt added a reviewer: bapt.
bapt added a subscriber: bapt.

As been committed as rS294326 (discussed with des)

This revision is now accepted and ready to land.Jan 19 2016, 3:04 PM
bapt closed this revision.Jan 19 2016, 3:04 PM