Bug 220511 - [PATCH] security/ca_root_nss: Add port option to remove duplicate certs based on Subject
Summary: [PATCH] security/ca_root_nss: Add port option to remove duplicate certs based...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ports Security Team
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-07-06 12:52 UTC by Jim Pirzyk
Modified: 2019-08-17 14:40 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
Patch to add make option (2.86 KB, patch)
2017-07-06 12:52 UTC, Jim Pirzyk
no flags Details | Diff
Patch to add make option (Fixed typo) (2.85 KB, patch)
2017-07-11 12:35 UTC, Jim Pirzyk
no flags Details | Diff
Updated patch (2.93 KB, patch)
2019-02-16 00:42 UTC, Jim Pirzyk
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jim Pirzyk freebsd_committer 2017-07-06 12:52:31 UTC
Created attachment 184124 [details]
Patch to add make option

The current ca_root_nss package will bundle up certificates based on their Subject and Serial, this works well for most packages but it does present a problem for OpenVPN.  OpenVPN insists only on unique Subjects, see https://forums.freebsd.org/threads/60254/

Currently StartSSL has two certs in ca_root_nss, Serial 0 and 45.  They represent SHA1 and SHA256.  The attached patch will use Serial 45 cert and ignore the SHA1 cert (based on larger Serial Numbers).

Ideally the solution is to get OpenVPN to properly handle multiple CAs with the same Subject line (using the Serial) but until then, this is plausable workaround.  This option is not on by default.
Comment 1 Mark Felder freebsd_committer 2017-07-06 13:02:05 UTC
One could argue that StartSSL should just be blacklisted entirely, but on the other hand I'm also very wary of distributing any version of ca_root_nss that has been modified in any way.


I'd like to hear input from other ports-secteam@ members
Comment 2 Jason Unovitch freebsd_committer 2017-07-09 00:12:26 UTC
I concur that I'm a bit weary to distribute a modified ca_root_nss port by default. I feel we should remain without bias on what upstream is providing.

However for an off by default option this does look like a viable workaround for the bug. I would like to see this reported to the OpenVPN folks first before making a modification like this particularly if OpenVPN is the only software impacted by this.

On the purely technical side from a cursory look at the patch the NODUPS_CONFIGURE_ON looks far too close to a port "option helper" when it is just used as an environmental variable. Seeing it wrapped in the PORT_OPTION check threw me for a bit. I would change that and fix the "ingnoring" typo at a minimum.
Comment 3 Jim Pirzyk freebsd_committer 2017-07-11 12:35:12 UTC
Created attachment 184255 [details]
Patch to add make option (Fixed typo)
Comment 4 Jim Pirzyk freebsd_committer 2017-07-11 12:37:50 UTC
OpenVPN Bug report https://community.openvpn.net/openvpn/ticket/913
Comment 5 Jochen Neumeister freebsd_committer 2019-02-15 18:18:22 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 6 Jim Pirzyk freebsd_committer 2019-02-15 19:07:50 UTC
OpenVPN closed the bug report as not a bug.  They do not recognize the need to have multiple Subject entries in the ca_root_nss file.  While removing StartSSL would get around the issue, it doesn't solve the underlying problem.

The basic question here is "Is having duplicate Subject lines in the ca_root_nss file accept and supported?"  and if so, "What do we do with applications that do not (or will not) support such a configuration?"
Comment 7 Jochen Neumeister freebsd_committer 2019-02-15 19:17:28 UTC
Your patch should fix that in FreeBSD, right? Unfortunately he is 2 years old. Can he still be used? (I did not test it)
Comment 8 Jim Pirzyk freebsd_committer 2019-02-16 00:42:56 UTC
Created attachment 202060 [details]
Updated patch
Comment 9 Walter Schwarzenfeld freebsd_triage 2019-08-13 11:18:09 UTC
ping!
Comment 10 Jim Pirzyk freebsd_committer 2019-08-17 14:40:50 UTC
(In reply to Walter Schwarzenfeld from comment #9)

What are we pinging here?  I have submitted an updated patch.