Bug 228913 - Include a root certificate bundle in the base system
Summary: Include a root certificate bundle in the base system
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Kyle Evans
Depends on: 246190 246614
  Show dependency treegraph
Reported: 2018-06-12 08:08 UTC by Rodney W. Grimes
Modified: 2021-06-18 11:51 UTC (History)
6 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Rodney W. Grimes freebsd_committer 2018-06-12 08:08:44 UTC
Add the/a root CA to the base system
Comment 1 Allan Jude freebsd_committer 2018-08-20 20:37:36 UTC
This item is progressing

This script will allow secteam@ to convert the NSS bundle into the per-CA files to be installed in /usr/share/certs


There is a second part, trustctl(8), that creates the hashed symlinks in /etc/ssl/certs that is almost finished.
Comment 2 Allan Jude freebsd_committer 2018-08-20 20:41:21 UTC
(In reply to Allan Jude from comment #1)
That link should be: https://reviews.freebsd.org/D16684
Comment 3 Allan Jude freebsd_committer 2018-08-23 03:48:47 UTC
Actual certificates for base:

Comment 4 Michael Osipov 2020-05-20 20:11:43 UTC
Allan, I think there is still room for improvement. I'd like add value to the issue because I desperately need it.
Comment 5 Allan Jude freebsd_committer 2020-05-21 16:34:38 UTC
(In reply to Michael Osipov from comment #4)
Kyle Evans has completed most of the work here. I don't know that there is much left to do. What ideas did you have?
Comment 6 Michael Osipov 2020-05-21 16:43:53 UTC
(In reply to Allan Jude from comment #5)

From the top of my head two issues, for the rest I need to review at least the script:

* Subject hash collisions are not handled at all, see bug 246614
* It would be very helpful for non-OpenSSL users/other apps to distill a crt file from all certs in the certs/ dir to a wellknown location.
* As soon as this will be available consider what will happens with ca_root_nss because I am certain it will cause confusion that two stores are availabe and spread locations
Comment 7 Michael Osipov 2020-06-16 10:09:15 UTC
Is this going to be backported to 11.4 or 11.5?
Comment 8 Kyle Evans freebsd_committer 2020-06-16 11:22:53 UTC
(In reply to Michael Osipov from comment #7)

AFAIK stable/11 will go EOL before an 11.5 would typically be cut. 11.4 has all the infrastructure, but I backed out actually including the root bundle due to the glaring issues you pointed out remaining with certctl. 12.2 will be the earliest release to ship it.

I'm hoping to have time to circle back to the certctl problems soon.
Comment 9 Michael Osipov 2020-06-16 12:07:33 UTC
Alright, I was already discussing with koobs@ how this could be intergrated into py-certifi.
Comment 10 Kyle Evans freebsd_committer 2020-06-16 12:44:46 UTC
(In reply to Michael Osipov from comment #9)

Yeah, so unfortunately this will be a little more complicated. If it's not too hard to do so, then once 12.1 goes EOL, you could (in the interim) do it differently contingent on __FreeBSD_version >= 1104500 so that folks building it on 11.4 will get the current behavior while stable/11 users after 11.4 branched + >= 12.2 will get the proper integration.