Bug 228550 - security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't
Summary: security/ca_root_nss pkg-message claims to use symlinks but mostly doesn't
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-27 18:37 UTC by Jeremy Chadwick
Modified: 2023-10-16 05:45 UTC (History)
6 users (show)

See Also:
fbsdbugs4: maintainer-feedback?


Attachments
example patch for ca_root_nss (1.37 KB, patch)
2022-03-04 16:15 UTC, Henrik Rosenke
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Chadwick 2018-05-27 18:37:34 UTC
ca_root_nss's pkg-message claims the following:

===
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
===

This appears to be mostly false: only one of those files is a symlink, the others are actual data (and not hardlinked either, all different inodes).  Proof:

$ ls -li /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem
 1926146 lrwxr-xr-x    1 root      wheel         38 May 25 18:12 /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
15168803 -rw-r--r--    1 root      wheel     789991 May 25 18:12 /usr/local/etc/ssl/cert.pem
15168805 -rw-r--r--    1 root      wheel     789991 May 25 18:12 /usr/local/openssl/cert.pem

And let's check out /usr/local/share/certs/ca-root-nss.crt for completion:

$ ls -li /usr/local/share/certs/ca-root-nss.crt
15168667 -rw-r--r--    1 root      wheel     789991 May 25 18:12 /usr/local/share/certs/ca-root-nss.crt

And the md5s of all the literal files:

$ md5 /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem /usr/local/share/certs/ca-root-nss.crt
MD5 (/usr/local/etc/ssl/cert.pem) = 2e98964306c1868bcabf06364514f216
MD5 (/usr/local/openssl/cert.pem) = 2e98964306c1868bcabf06364514f216
MD5 (/usr/local/share/certs/ca-root-nss.crt) = 2e98964306c1868bcabf06364514f216

So: three (3) physical copies of the same file, and one symlink to one of those copies.  Let's look further:

$ pkg info -l ca_root_nss
ca_root_nss-3.37.1:
        /etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem.sample
        /usr/local/openssl/cert.pem.sample
        /usr/local/share/certs/ca-root-nss.crt
        /usr/local/share/licenses/ca_root_nss-3.37.1/LICENSE
        /usr/local/share/licenses/ca_root_nss-3.37.1/MPL20
        /usr/local/share/licenses/ca_root_nss-3.37.1/catalog.mk

$ ls -l /usr/local/etc/ssl/cert.pem.sample /usr/local/openssl/cert.pem.sample
lrwxr-xr-x    1 root      wheel     38 May 25 18:12 /usr/local/etc/ssl/cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt
lrwxr-xr-x    1 root      wheel     38 May 25 18:12 /usr/local/openssl/cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt

The .sample files are symlinks, but the non-.sample files aren't (sorry for the double negative).

Thus: either the message is wrong/incorrect, or something changed between when the message was written and present that removed use of symlinks and instead uses literal copies.

I reviewed the Makefile, target do-install, and all I see being done symlink-wise is for .sample files.  I'm not even sure what's generating the non-.sample files...
Comment 1 Jochen Neumeister freebsd_committer freebsd_triage 2019-02-15 18:26:39 UTC
what is the current status?
Does ports-secteam have to be active here?
Comment 2 Walter Schwarzenfeld freebsd_triage 2019-08-16 03:03:16 UTC
ping!
Comment 3 Jochen Neumeister freebsd_committer freebsd_triage 2020-07-23 15:27:40 UTC
No answer to my question from 2019-02-15. Closed
Comment 4 Jeremy Chadwick 2020-07-23 17:41:38 UTC
Re-opening because this problem has not gone away.  I don't know why FreeBSD project members would think that.  You can verify the problem yourself; the initial report contains the details.

ports-secteam@ is the maintainer of this port.  I do not know if "they should be involved", as I suspect there is only 1 person in that team who actually maintains this port.  No idea who that is.

To recap: the problem is explained in the description of this bug, and at the end of my initial comment:

> Thus: either the message is wrong/incorrect, or something changed between when the message was written and present that removed use of symlinks and instead uses literal copies.

> I reviewed the Makefile, target do-install, and all I see being done symlink-wise is for .sample files.  I'm not even sure what's generating the non-.sample files...

So: either a) pkg-message need to be updated to reflect the truth, or b) actual symlinks need to be used everywhere and not copies.
Comment 5 Trev 2022-01-11 03:56:13 UTC
I just ran into this problem having discovered that there was an outdated cert.pem from 2015 in /usr/local/etc/ssl and only a cert.pem.sample -> ../../share/certs/ca-root-nss.crt link which is why using fetch for sites with the new Let's Encrypt root certificate were failing.

The package message is wrong.
Comment 6 Henrik Rosenke 2022-03-04 16:15:18 UTC
Created attachment 232249 [details]
example patch for ca_root_nss
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-03-13 12:05:37 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8c042351fc7f0b70658c9bb1207a781b1f0fb10b

commit 8c042351fc7f0b70658c9bb1207a781b1f0fb10b
Author:     Jochen Neumeister <joneum@FreeBSD.org>
AuthorDate: 2022-03-13 12:02:55 +0000
Commit:     Jochen Neumeister <joneum@FreeBSD.org>
CommitDate: 2022-03-13 12:05:08 +0000

    security/ca_root_nss: Update to 3.76

    Update to 3.76 and fix do-install (1)

    PR:     228550 (1)
    Approved by:    ports-secteam (with hat)
    Sponsored by:   Netzkommune GmbH

 security/ca_root_nss/Makefile  | 6 +++---
 security/ca_root_nss/distinfo  | 6 +++---
 security/ca_root_nss/pkg-plist | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)
Comment 8 Jeremy Chadwick 2023-10-14 07:14:24 UTC
This is now broken again.  On a 13.3-RELEASE-p2 system, we now find 3 physical copies of the certificate:

root@host:~ # find / \( -name "cert.pem" -or -name "ca-root-nss.crt" \) -ls
    50     1536 -rw-r--r--    1 root                             wheel                              746820 Oct 10 02:03 /usr/local/share/certs/ca-root-nss.crt
    30     1536 -rw-r--r--    1 root                             wheel                              746820 Oct 10 02:03 /usr/local/etc/ssl/cert.pem
    51     1536 -rw-r--r--    1 root                             wheel                              746820 Oct 10 02:03 /usr/local/openssl/cert.pem
201237        0 lrwxr-xr-x    1 root                             wheel                                  43 Oct 10 02:03 /etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt

root@host:~ # pkg info | grep ca_root_nss
ca_root_nss-3.93_2             Root certificate bundle from the Mozilla Project
Comment 9 Jochen Neumeister freebsd_committer freebsd_triage 2023-10-16 05:44:44 UTC
I am not sure if this has to do with the changes Dag-Erling has made to the port. I add him to this PR for his opinion.