Summary: | Include a root certificate bundle in the base system | ||
---|---|---|---|
Product: | Base System | Reporter: | Rodney W. Grimes <rgrimes> |
Component: | bin | Assignee: | Kyle Evans <kevans> |
Status: | In Progress --- | ||
Severity: | Affects Many People | CC: | cem, emaste, michael.osipov, pi, ps.ports, rgrimes, thierry |
Priority: | --- | ||
Version: | CURRENT | ||
Hardware: | Any | ||
OS: | Any | ||
Bug Depends on: | 246190, 246614 | ||
Bug Blocks: |
Description
Rodney W. Grimes
2018-06-12 08:08:44 UTC
This item is progressing This script will allow secteam@ to convert the NSS bundle into the per-CA files to be installed in /usr/share/certs https://reviews.freebsd.org/D15713 There is a second part, trustctl(8), that creates the hashed symlinks in /etc/ssl/certs that is almost finished. (In reply to Allan Jude from comment #1) That link should be: https://reviews.freebsd.org/D16684 Actual certificates for base: https://reviews.freebsd.org/D16856 trustctl(8): https://reviews.freebsd.org/D16857 Allan, I think there is still room for improvement. I'd like add value to the issue because I desperately need it. (In reply to Michael Osipov from comment #4) Kyle Evans has completed most of the work here. I don't know that there is much left to do. What ideas did you have? (In reply to Allan Jude from comment #5) From the top of my head two issues, for the rest I need to review at least the script: * Subject hash collisions are not handled at all, see bug 246614 * It would be very helpful for non-OpenSSL users/other apps to distill a crt file from all certs in the certs/ dir to a wellknown location. * As soon as this will be available consider what will happens with ca_root_nss because I am certain it will cause confusion that two stores are availabe and spread locations Is this going to be backported to 11.4 or 11.5? (In reply to Michael Osipov from comment #7) AFAIK stable/11 will go EOL before an 11.5 would typically be cut. 11.4 has all the infrastructure, but I backed out actually including the root bundle due to the glaring issues you pointed out remaining with certctl. 12.2 will be the earliest release to ship it. I'm hoping to have time to circle back to the certctl problems soon. Alright, I was already discussing with koobs@ how this could be intergrated into py-certifi. (In reply to Michael Osipov from comment #9) Yeah, so unfortunately this will be a little more complicated. If it's not too hard to do so, then once 12.1 goes EOL, you could (in the interim) do it differently contingent on __FreeBSD_version >= 1104500 so that folks building it on 11.4 will get the current behavior while stable/11 users after 11.4 branched + >= 12.2 will get the proper integration. |