Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl

To: "Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>
Subject: Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 23 Feb 2021 08:47:59 -0500

This looks like a behavior change always, checking magic paths that
happen to be there on Centos, but on all systems.  And I don't see that
it is something you ask for by a variable in mk.conf, if you want to do
something different than the standard approach.

So unless I'm missing something, I object to this patch.

I think this needs stepping back and considering:

  When is pkgsrc using pkgsrc openssl and when it is using base ssl, and
  do we think those decisions are right?

  What's the grand plan for the configured set of trust anchors, for
  openssl, for other ssl libraries, and for programas that use one of
  those but provide their own set instead of using default validation?

  If someone wants to use an old branch of pkgsrc for a long time (I get
  the reasons), then perhaps they need to do security maintenance on
  that branch, essentially turning it into a LTS.   Or they might run
  their reproducible things on a computer not connected to the
  internet.   This sort of service is something the pkgsrc project does
  not currently provide, and I don't see that as likely to change.  But
  the bits are open source and anyone is likely to publish a LTS repo
  that makes whatever kind of fixes to old branches, if that's what they
  want to do -- I'd only expect that it be clearly labeled so people are
  clear that it's old and not from TNF.


In your case, if you build pkgsrc with system openssl, then I'd expect
the cert dir to point to the system place.  If you build pkgsrc with
pkgsrc openssl, then I'd expect it to point there.

So as I see it what maybe should happen is some sort of variable to
configure pkgsrc openssl, maybe other TLS implementations, and things
that pass a dir to the validator, to point to some user-defined place.

And perhaps, the handling of the default setting of the cert dir for
system openssl on some systems is wrong and should be fixed.


I think it's important not to flip users from pkgsrc certs to system
certs without them asking for it.  Part of the point of pkgsrc is to get
pkgsrc behavior everywhere.

Hope this helps...

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl
  - From: Dr. Thomas Orgis

References:
- Handling system-wide TLS certification bundles for openssl builtin and www/curl
  - From: Dr. Thomas Orgis

Prev by Date: Handling system-wide TLS certification bundles for openssl builtin and www/curl
Next by Date: Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl
Previous by Thread: Handling system-wide TLS certification bundles for openssl builtin and www/curl
Next by Thread: Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl
Indexes:

Home | Main Index | Thread Index | Old Index