Bug 235703 - security/gnutls - add defaults, enable SSL3, provide test-target
Summary: security/gnutls - add defaults, enable SSL3, provide test-target
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Tijl Coosemans
Depends on:
Reported: 2019-02-12 19:01 UTC by Mikhail Teterin
Modified: 2019-03-28 23:38 UTC (History)
0 users

See Also:
tijl: maintainer-feedback+

Patch (version 1) (739 bytes, patch)
2019-02-12 19:01 UTC, Mikhail Teterin
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Teterin freebsd_committer 2019-02-12 19:01:48 UTC
Created attachment 201964 [details]
Patch (version 1)

The proposed patch provides the following improvements:
- Set the various defaults to where things are (or might be) on a FreeBSD system
- Enable SSL3 support -- though the mechanism may be outdated/insecure, it may still be used
- Declare the TEST_TARGET so "make test" in the port does something useful
Comment 1 Tijl Coosemans freebsd_committer 2019-02-17 10:13:39 UTC
(In reply to Mikhail Teterin from comment #0)
I don't want to enable SSL3:
1) Nobody has asked for it and if there are no users I'd be wasting my time maintaining it.
2) Users should just upgrade to TLS.  I don't want to accommodate their bad practices.
3) I think there are MITM attacks that can downgrade TLS 1.0 connections to SSL3.

The other changes I'm still looking into.  The pkcs11 default seems wrong.  It needs to be something like "pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit".
Comment 2 Mikhail Teterin freebsd_committer 2019-02-17 12:44:32 UTC
(In reply to Tijl Coosemans from comment #1)
> I don't want to enable SSL3

Personally, I'm an adherent of the principle, Athena project articulated decades ago: "Mechanism, not Policy". That is, software is to provide mechanism(s), rendering any policy(ies) regarding their use onto the users.

The world of crypto/security's been guided by the exact opposite for a while, which to me seems dictatorial, but I do not insist...

> It needs to be something like "pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit".

The string I'm specifying is a path to the file, where the string you are quoting could be found. The software's default is /etc/gnutls/pkcs11.conf -- you can confirm this with "strings /usr/local/lib/libgnutls.so | grep /etc" (on an unpatched system).
Comment 3 commit-hook freebsd_committer 2019-02-24 15:23:02 UTC
A commit references this bug:

Author: tijl
Date: Sun Feb 24 15:22:41 UTC 2019
New revision: 493765
URL: https://svnweb.freebsd.org/changeset/ports/493765

  - Let gnutls look for its configuration files in PREFIX/etc instead of /etc.
  - Use --with-default-trust-store-file to set the location of the root
    certificates so configure doesn't have to autodetect this and the
    build dependency can be removed.
  - Define TEST_TARGET.
  - Remove DOCSDIR.  The files are also in PREFIX/share/info.
  - Use p11-kit-trust as the default PKCS#11 trust store.

  PR:		235703
  Reported by:	mi

Comment 4 Tijl Coosemans freebsd_committer 2019-02-24 15:29:24 UTC
The commit doesn't contain --with-default-trust-store-dir because it's unused if there's a pkcs11 or file trust store.  The pkcs11 trust store was set using a URI instead of a path.  I also patched all documentation.
Comment 5 Mikhail Teterin freebsd_committer 2019-02-25 04:25:52 UTC
(In reply to Tijl Coosemans from comment #4)
Ok, so how do I make GnuTLS-programs accept the same CA-certificates that OpenSSL-based software accepts on the same machine?
Comment 6 Tijl Coosemans freebsd_committer 2019-02-26 11:50:35 UTC
(In reply to Mikhail Teterin from comment #5)
You can append .crt files to /usr/local/share/certs/ca-root-nss.crt.  We are missing something like Debian update-ca-certificates.
Comment 7 Mikhail Teterin freebsd_committer 2019-03-28 23:38:08 UTC
(In reply to Tijl Coosemans from comment #6)
I know, we don't have a system-wide certificate management utility. Still, I was hoping, GNUTLS can be configured to trust the same certificates, that OpenSSL is already trusting...

> You can append .crt files to /usr/local/share/certs/ca-root-nss.crt

Obviously, this is unsatisfying, because one'd have to repeat the process every time the bundle is upgraded...