pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Depending on security/ca-certificates?



Michael-John Turner <mj%mjturner.net@localhost> writes:

>>One view is that the admin has failed to configure the set of trust
>>anchors that they want to trust, and that this isn't bug in your
>>package, but a feature that CAs that the admin hasn't approved aren't
>>being used.   That's more or less how I see it.
>
> Yes, true. One obvious downside of that approach (as others have noted) is
> that lots of software that uses TLS doesn't work "out the box". And
> searching online for, eg, git not trusting a certificate could lead to
> the "GIT_SSL_NO_VERIFY" workaround, which is not ideal.

That the other view is that a particular CA cert being pre-installed as
a trust anchor will lead to certs from it being accepted, which for some
is a security failure and hence "does not work".  We should not use the
word "works" to describe "validation succeeds" in a vacuum because
whether that outcome is "working" or "not working" depends on the user.

>>pkgsrc has more or less taken the view that choice of trust anchors is
>>up to the base system config and sysadmin decisions, and pretty clearly
>>taken the view that it is not up to individual packages to change these
>>decisions, although mozilla-rootcerts-openssl is provided as a tool for
>>admins to make that policy choice.
>
> That makes sense and (IMHO) that's a sane policy. Has the decision not to
> add default trust anchors in the base system been discussed/reviewed
> recently? It would be rather useful if pkg_add/pkgin could support https
> out the box... Both OpenBSD and FreeBSD ship with a set of trusted CAs (I'm
> assuming derived mostly from the Mozilla list, although I haven't dug into
> it in any detail).

I recall a discussion not too long ago, which probably means within 2
years.  As I see it there are multiple issues:

  NetBSD tends very hard to default off and fail safe, rather than fail
  open.  This is really an argument for a question in the installer "Do
  you want to configure the Mozilla Root Certificates as trust anchors
  for openssl?" so that people can choose to or not choose to install
  them.

  I'm fuzzy on this, but: NetBSD base systems tend not to get updated
  very fast, and it used to be that people thought that the mozilla root
  set needed timely updates.  That leads to either wanting to push this
  out of base or to have some update mechanisms like pkg-vulnerabilties.
  It may be that this is not really a big issue; I think CAs get kicked
  out of the mozilla set rarely.

  Changing is a lot of work.

So I think it will take someone willing to do the work, and doing it so
that trust anchors are only configured with admin consent.


Another approach would be to add a feature to pkgin where it would have
a record of whether mozilla-rootcerts-openssl has been installed, and
ask the user whether they wanted to install it or not, and thereafter
not ask.  Probably enabled only on systems where the base system is
known not to have preconfigure trust anchors.  That lets pkgsrc do this
for a user easily, while not overriding base policy without consent.

This would probably  require pkgin, mozilla-rootcerts-openssl and
mozilla-rootcerts to be prestaged as part of install, but we already
need pkgin, or else the same download method could be used for
mozilla-rootcerts as pkgin.   Also needs someone to write the code.

Attachment: signature.asc
Description: PGP signature



Home | Main Index | Thread Index | Old Index