security/ca_root_nss: handle bundle links consistently for ETCSYMLINK
ClosedPublic
Actions

Authored by des on Dec 4 2024, 12:39 PM.

Details

Reviewers

Group Reviewers

portmgr
Ports Committers
ports secteam

Commits

R11:1abc6bb68665: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK

Summary

/usr/local/openssl/cert.pem is the default location for security/openssl
so it should be handled just like /etc/ssl/cert.pem base OpenSSL. To
avoid having samples and copies with differing contents point both files
to the actual /usr/local/etc/ssl/cert.pem created by the sample. If users
have set their own content that is likely intended and should be enforced
across all three files.

PR: 283161

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

franco_opnsense.org requested review of this revision.Dec 4 2024, 12:39 PM

franco_opnsense.org created this revision.

Harbormaster completed remote builds in B60951: Diff 147466.Dec 4 2024, 12:39 PM

fernape added reviewers: portmgr, Ports Committers, ports secteam.Dec 11 2024, 6:54 PM

change summary

Harbormaster completed remote builds in B61233: Diff 148190.Dec 18 2024, 12:49 PM

franco_opnsense.org edited the summary of this revision. (Show Details)Dec 18 2024, 12:50 PM

des requested changes to this revision.Dec 20 2024, 5:02 PM

des added a subscriber: des.

des added inline comments.

security/ca_root_nss/Makefile
54	This doesn't look right...

This revision now requires changes to proceed.Dec 20 2024, 5:02 PM

franco_opnsense.org added inline comments.Dec 20 2024, 7:08 PM

security/ca_root_nss/Makefile

Can you be specific.

# diff -u /usr/local/etc/ssl/cert.pem{,.sample}
# ls -lah /etc/ssl/cert.pem
lrwxr-xr-x  1 root wheel   32B Dec 20 19:01 /etc/ssl/cert.pem -> ../../usr/local/etc/ssl/cert.pem
# ls -lah /usr/local/openssl/cert.pem
lrwxr-xr-x  1 root wheel   19B Dec 20 19:01 /usr/local/openssl/cert.pem -> ../etc/ssl/cert.pem
# ls -lah /usr/local/etc/ssl/cert.pem
-rw-r--r--  1 root wheel  774K Dec 20 19:01 /usr/local/etc/ssl/cert.pem
# md5 /etc/ssl/cert.pem
MD5 (/etc/ssl/cert.pem) = 5114bb207368fb4f8afb93275db6bf37
# md5 /usr/local/etc/ssl/cert.pem
MD5 (/usr/local/etc/ssl/cert.pem) = 5114bb207368fb4f8afb93275db6bf37
# md5 /usr/local/etc/ssl/cert.pem.sample 
MD5 (/usr/local/etc/ssl/cert.pem.sample) = 5114bb207368fb4f8afb93275db6bf37
# md5 /usr/local/openssl/cert.pem
MD5 (/usr/local/openssl/cert.pem) = 5114bb207368fb4f8afb93275db6bf37

@des did you find the time to make a technical assessment? thanks!

I keep trying to think of a better way to do this than abuse the @sample mechanism, but I'm not sure there is one if we don't want to break compatibility for the non-ETCSYMLINK case. Ultimately what we need is to finish certctl so ETCSYMLINK is no longer needed, but this is probably good enough until then.

This revision is now accepted and ready to land.Feb 17 2025, 11:46 AM

des commandeered this revision.Feb 17 2025, 11:48 AM

des edited reviewers, added: franco_opnsense.org; removed: des.

This revision now requires review to proceed.Feb 17 2025, 11:48 AM

This revision was not accepted when it landed; it landed in state Needs Review.Feb 17 2025, 12:13 PM

Closed by commit R11:1abc6bb68665: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK (authored by franco_opnsense.org, committed by des). · Explain Why

This revision was automatically updated to reflect the committed changes.

des added a commit: R11:1abc6bb68665: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK.