tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Architecture neutral packages (mozilla-rootcerts-openssl)
NetBSD is the only OS I regularly use that comes without a set of root
certificates by default. All Linux distros have them. People that set up
CI systems, VMs, laptops, etc. generally expect them to be there.
As someone who not only administers a good number of NetBSD servers but
has also helped many others set up and administer their own NetBSD
servers, I think this is very important.
How it ultimately happens is up to people who understand things better
than I do, but what whould be lovely to see would be:
1) a way to install rootcerts in sysinst
2) a way to install them post-install, and/or update them
3) an easy way for people who have reasons to be deliberate to allow /
block certain certs so that updates don't undo their work
We used to have sup [1] which allowed less technical (or more lazy) people
to simply update certain things, and I think it's a shame it went away
without a decent replacement. But I think we can all agree that people who
use NetBSD trust NetBSD.org servers as a source for updates, and since the
OS has ssh fingerprints for various NetBSD servers, it stands to reason
that a set of usable rootcerts (with an option to be selective) be offered
by NetBSD. But which tool can people use to get these updates from NetBSD
via ssh?
(a tangent: if we move to Mercurial and turn off the CVS servers, we'll
completely lose the ability to update source trees without installing
packages... not a fan of the idea)
I recently had a fun time trying to explain to someone what to do when
they got this when trying to fetch (from cdn.NetBSD.org!) using ftp on a
new system:
Trying 151.101.209.6:443 ...
18446744073709551615:error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1919:
ftp: Can't connect to `cdn.netbsd.org:https'
A quick look at ftp(1), searching for "cert", shows:
https://[user[:password]@]host[:port]/path
An HTTPS URL, retrieved using the HTTPS protocol. If set
https_proxy is defined, it is used as a URL to an HTTPS proxy
server. If HTTPS authorization is required to retrieve path, and
user (and optionally password) is in the URL, use them for the
first attempt to authenticate. There is currently no certificate
validation and verification.
"There is currently no certificate validation and verification." needs to
be fixed, because obviously that changed.
Further down:
FTPSSLNOVERIFY
Set to 1 to not verify SSL certificates.
It's not immediately apparent to a beginner that one needs to "export
FTPSSLNOVERIFY=1"; there really should be a command line option to ftp
that does this.
Perhaps, if nothing else, NetBSD should ship with at least the minimum
rootcerts needed so that NetBSD.org certificates work, which would then
make it possible to safely fetch, whether by base set or pkgsrc, a full
set of rootcerts?
John
[1] https://man.netbsd.org/NetBSD-9.2/sup.1
Home |
Main Index |
Thread Index |
Old Index