Bug 274016

Summary: certctl(8): deprecate and remove usage of <DESTDIR>/usr/local/etc/ssl/certs and <DESTDIR>/usr/local/etc/ssl/blacklisted as source for custom CA certificates
Product: Base System Reporter: Michael Osipov <michael.osipov>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Some People CC: chris, grahamperrin, michael.osipov, pat, ronald
Priority: ---    
Version: 12.4-STABLE   
Hardware: Any   
OS: Any   

Description Michael Osipov 2023-09-22 07:57:27 UTC
While discussing Bug 269473 me and others discovered that it is an abuse of /usr/local/etc/ssl/certs and likely /usr/local/etc/ssl/blacklisted.

certctl(8) defines the following input directories:
>      TRUSTPATH         List of paths to search for trusted certificates.
>                        Default: <DESTDIR>/usr/share/certs/trusted
>                        <DESTDIR>/usr/local/share/certs
>                        <DESTDIR>/usr/local/etc/ssl/certs
> 
>      BLACKLISTPATH     List of paths to search for blacklisted certificates.
>                        Default: <DESTDIR>/usr/share/certs/blacklisted
>                        <DESTDIR>/usr/local/etc/ssl/blacklisted

TRUSTPATH: <DESTDIR>/usr/local/etc/ssl/certs
When any OpenSSL derivate is installed from ports, is expects that its rehash algorithm puts hashed links to /usr/local/etc/ssl/certs. This is not supposed to be an input directory to another hashing process, but solely output to ports hashing and input for any ports OpenSSL derivate. An implementation detail so to speak. The actual subject hashing is an implementation detail and not publically documented unless you read the source code.
In that spirit, this dir should be deprecated and removed w/o replacement since we have <DESTDIR>/usr/local/share/certs for custom certs beyond base.

BLACKLISTPATH: <DESTDIR>/usr/local/etc/ssl/blacklisted. This is logically identical to the above. /usr/local/etc/ssl serves as OPENSSLDIR. The actual, logical path should be <DESTDIR>/usr/local/share/certs/blacklisted. Identical approach, introduce new one, deprecate and remove old one.

I am certain that I have discussed this to some degree with Kyle Evans (kevans@), but he has left the topic, unfortunately.
Comment 1 Michael Osipov 2023-09-22 08:07:04 UTC
Note: This applies to any version of FreeBSD with certctl(8).