Summary: | security/ca_root_nss: Add port option to remove duplicate certs based on Subject | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jim Pirzyk <pirzyk> | ||||||||
Component: | Individual Port(s) | Assignee: | Jochen Neumeister <joneum> | ||||||||
Status: | Closed Overcome By Events | ||||||||||
Severity: | Affects Some People | CC: | feld, joneum, junovitch, michael.osipov, ports-secteam, w.schwarzenfeld | ||||||||
Priority: | --- | Keywords: | needs-qa | ||||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(ports-secteam) |
||||||||
Hardware: | Any | ||||||||||
OS: | Any | ||||||||||
Attachments: |
|
Description
Jim Pirzyk
2017-07-06 12:52:31 UTC
One could argue that StartSSL should just be blacklisted entirely, but on the other hand I'm also very wary of distributing any version of ca_root_nss that has been modified in any way. I'd like to hear input from other ports-secteam@ members I concur that I'm a bit weary to distribute a modified ca_root_nss port by default. I feel we should remain without bias on what upstream is providing. However for an off by default option this does look like a viable workaround for the bug. I would like to see this reported to the OpenVPN folks first before making a modification like this particularly if OpenVPN is the only software impacted by this. On the purely technical side from a cursory look at the patch the NODUPS_CONFIGURE_ON looks far too close to a port "option helper" when it is just used as an environmental variable. Seeing it wrapped in the PORT_OPTION check threw me for a bit. I would change that and fix the "ingnoring" typo at a minimum. Created attachment 184255 [details]
Patch to add make option (Fixed typo)
OpenVPN Bug report https://community.openvpn.net/openvpn/ticket/913 what is the current status? Does ports-secteam have to be active here? OpenVPN closed the bug report as not a bug. They do not recognize the need to have multiple Subject entries in the ca_root_nss file. While removing StartSSL would get around the issue, it doesn't solve the underlying problem. The basic question here is "Is having duplicate Subject lines in the ca_root_nss file accept and supported?" and if so, "What do we do with applications that do not (or will not) support such a configuration?" Your patch should fix that in FreeBSD, right? Unfortunately he is 2 years old. Can he still be used? (I did not test it) Created attachment 202060 [details]
Updated patch
ping! (In reply to Walter Schwarzenfeld from comment #9) What are we pinging here? I have submitted an updated patch. There is nothing wrong having more than one cert with the same subject. I can present two public ones (CA certs) for this case. One with SHA-1, the other with SHA-256, both are still valid have validate sub certs. Throwing them out is wrong for me. I 100% agree here. The problem is when certain applications do not properly handle multiple certs (openvpn for example). I only added this option as a way to get around the shortcoming of those apps. I would not want this option to be the default. The question I'm asking myself is this: If OpenVPN says this is not a bug, so not a bug, then why should we change it here? The point is that you can manage multiple certificates. Michael and Jim are for changing it in FreeBSD anyway, right? Are there any other opinions? I am for not changing it, but I am open to other opinions. (In reply to Jochen Neumeister from comment #13) I do not consider that the port must be changed to fix an issue with OpenVPN. Rather this needs to addressed somehow else. I think that soon certctl(8) will be in place, the user has full control over certs in /etc/ssl/certs/ with blacklists and can safely block certs with subject name collision. After 12.2 and 11.4 I see no need for security/ca_root_nss at all, imho. ^Triage Reset assignee (timeout; 6 months), leave in CC (port maintainer) No activity for 3 years. I close here. If there are any questions or problems, feel free to reopen it. |