tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Architecture neutral packages (mozilla-rootcerts-openssl)



NetBSD is the only OS I regularly use that comes without a set of root certificates by default. All Linux distros have them. People that set up CI systems, VMs, laptops, etc. generally expect them to be there.

As someone who not only administers a good number of NetBSD servers but has also helped many others set up and administer their own NetBSD servers, I think this is very important.

How it ultimately happens is up to people who understand things better than I do, but what whould be lovely to see would be:

1) a way to install rootcerts in sysinst

2) a way to install them post-install, and/or update them

3) an easy way for people who have reasons to be deliberate to allow /
   block certain certs so that updates don't undo their work


We used to have sup [1] which allowed less technical (or more lazy) people to simply update certain things, and I think it's a shame it went away without a decent replacement. But I think we can all agree that people who use NetBSD trust NetBSD.org servers as a source for updates, and since the OS has ssh fingerprints for various NetBSD servers, it stands to reason that a set of usable rootcerts (with an option to be selective) be offered by NetBSD. But which tool can people use to get these updates from NetBSD via ssh?

(a tangent: if we move to Mercurial and turn off the CVS servers, we'll completely lose the ability to update source trees without installing packages... not a fan of the idea)

I recently had a fun time trying to explain to someone what to do when they got this when trying to fetch (from cdn.NetBSD.org!) using ftp on a new system:

Trying 151.101.209.6:443 ...
18446744073709551615:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1919:
ftp: Can't connect to `cdn.netbsd.org:https'

A quick look at ftp(1), searching for "cert", shows:

     https://[user[:password]@]host[:port]/path
           An HTTPS URL, retrieved using the HTTPS protocol.  If set
           https_proxy is defined, it is used as a URL to an HTTPS proxy
           server.  If HTTPS authorization is required to retrieve path, and
           user (and optionally password) is in the URL, use them for the
           first attempt to authenticate.  There is currently no certificate
           validation and verification.

"There is currently no certificate validation and verification." needs to be fixed, because obviously that changed.

Further down:

     FTPSSLNOVERIFY
                    Set to 1 to not verify SSL certificates.

It's not immediately apparent to a beginner that one needs to "export FTPSSLNOVERIFY=1"; there really should be a command line option to ftp that does this.

Perhaps, if nothing else, NetBSD should ship with at least the minimum rootcerts needed so that NetBSD.org certificates work, which would then make it possible to safely fetch, whether by base set or pkgsrc, a full set of rootcerts?

John


[1] https://man.netbsd.org/NetBSD-9.2/sup.1


Home | Main Index | Thread Index | Old Index