Created attachment 201964 [details]
Patch (version 1)
The proposed patch provides the following improvements:
- Set the various defaults to where things are (or might be) on a FreeBSD system
- Enable SSL3 support -- though the mechanism may be outdated/insecure, it may still be used
- Declare the TEST_TARGET so "make test" in the port does something useful
(In reply to Mikhail Teterin from comment #0)
I don't want to enable SSL3:
1) Nobody has asked for it and if there are no users I'd be wasting my time maintaining it.
2) Users should just upgrade to TLS. I don't want to accommodate their bad practices.
3) I think there are MITM attacks that can downgrade TLS 1.0 connections to SSL3.
The other changes I'm still looking into. The pkcs11 default seems wrong. It needs to be something like "pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit".
(In reply to Tijl Coosemans from comment #1)
> I don't want to enable SSL3
Personally, I'm an adherent of the principle, Athena project articulated decades ago: "Mechanism, not Policy". That is, software is to provide mechanism(s), rendering any policy(ies) regarding their use onto the users.
The world of crypto/security's been guided by the exact opposite for a while, which to me seems dictatorial, but I do not insist...
> It needs to be something like "pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit".
The string I'm specifying is a path to the file, where the string you are quoting could be found. The software's default is /etc/gnutls/pkcs11.conf -- you can confirm this with "strings /usr/local/lib/libgnutls.so | grep /etc" (on an unpatched system).
A commit references this bug:
Date: Sun Feb 24 15:22:41 UTC 2019
New revision: 493765
- Let gnutls look for its configuration files in PREFIX/etc instead of /etc.
- Use --with-default-trust-store-file to set the location of the root
certificates so configure doesn't have to autodetect this and the
build dependency can be removed.
- Define TEST_TARGET.
- Remove DOCSDIR. The files are also in PREFIX/share/info.
- Use p11-kit-trust as the default PKCS#11 trust store.
Reported by: mi
The commit doesn't contain --with-default-trust-store-dir because it's unused if there's a pkcs11 or file trust store. The pkcs11 trust store was set using a URI instead of a path. I also patched all documentation.
(In reply to Tijl Coosemans from comment #4)
Ok, so how do I make GnuTLS-programs accept the same CA-certificates that OpenSSL-based software accepts on the same machine?
(In reply to Mikhail Teterin from comment #5)
You can append .crt files to /usr/local/share/certs/ca-root-nss.crt. We are missing something like Debian update-ca-certificates.
(In reply to Tijl Coosemans from comment #6)
I know, we don't have a system-wide certificate management utility. Still, I was hoping, GNUTLS can be configured to trust the same certificates, that OpenSSL is already trusting...
> You can append .crt files to /usr/local/share/certs/ca-root-nss.crt
Obviously, this is unsatisfying, because one'd have to repeat the process every time the bundle is upgraded...