Created attachment 184124 [details]
Patch to add make option
The current ca_root_nss package will bundle up certificates based on their Subject and Serial, this works well for most packages but it does present a problem for OpenVPN. OpenVPN insists only on unique Subjects, see https://forums.freebsd.org/threads/60254/
Currently StartSSL has two certs in ca_root_nss, Serial 0 and 45. They represent SHA1 and SHA256. The attached patch will use Serial 45 cert and ignore the SHA1 cert (based on larger Serial Numbers).
Ideally the solution is to get OpenVPN to properly handle multiple CAs with the same Subject line (using the Serial) but until then, this is plausable workaround. This option is not on by default.
One could argue that StartSSL should just be blacklisted entirely, but on the other hand I'm also very wary of distributing any version of ca_root_nss that has been modified in any way.
I'd like to hear input from other ports-secteam@ members
I concur that I'm a bit weary to distribute a modified ca_root_nss port by default. I feel we should remain without bias on what upstream is providing.
However for an off by default option this does look like a viable workaround for the bug. I would like to see this reported to the OpenVPN folks first before making a modification like this particularly if OpenVPN is the only software impacted by this.
On the purely technical side from a cursory look at the patch the NODUPS_CONFIGURE_ON looks far too close to a port "option helper" when it is just used as an environmental variable. Seeing it wrapped in the PORT_OPTION check threw me for a bit. I would change that and fix the "ingnoring" typo at a minimum.
Created attachment 184255 [details]
Patch to add make option (Fixed typo)
OpenVPN Bug report https://community.openvpn.net/openvpn/ticket/913
what is the current status?
Does ports-secteam have to be active here?
OpenVPN closed the bug report as not a bug. They do not recognize the need to have multiple Subject entries in the ca_root_nss file. While removing StartSSL would get around the issue, it doesn't solve the underlying problem.
The basic question here is "Is having duplicate Subject lines in the ca_root_nss file accept and supported?" and if so, "What do we do with applications that do not (or will not) support such a configuration?"
Your patch should fix that in FreeBSD, right? Unfortunately he is 2 years old. Can he still be used? (I did not test it)
Created attachment 202060 [details]
(In reply to Walter Schwarzenfeld from comment #9)
What are we pinging here? I have submitted an updated patch.
There is nothing wrong having more than one cert with the same subject. I can present two public ones (CA certs) for this case. One with SHA-1, the other with SHA-256, both are still valid have validate sub certs. Throwing them out is wrong for me.
I 100% agree here. The problem is when certain applications do not properly handle multiple certs (openvpn for example). I only added this option as a way to get around the shortcoming of those apps. I would not want this option to be the default.
The question I'm asking myself is this:
If OpenVPN says this is not a bug, so not a bug, then why should we change it here? The point is that you can manage multiple certificates.
Michael and Jim are for changing it in FreeBSD anyway, right?
Are there any other opinions?
I am for not changing it, but I am open to other opinions.
(In reply to Jochen Neumeister from comment #13)
I do not consider that the port must be changed to fix an issue with OpenVPN. Rather this needs to addressed somehow else. I think that soon certctl(8) will be in place, the user has full control over certs in /etc/ssl/certs/ with blacklists and can safely block certs with subject name collision. After 12.2 and 11.4 I see no need for security/ca_root_nss at all, imho.