Re: Architecture neutral packages (mozilla-rootcerts-openssl)

[John Klos <john%klos.com@localhost>]

> NetBSD is the only OS I regularly use that comes without a set of root 
> certificates by default. All Linux distros have them. People that set up 
> CI systems, VMs, laptops, etc. generally expect them to be there.

As someone who not only administers a good number of NetBSD servers but 
has also helped many others set up and administer their own NetBSD 
servers, I think this is very important.

How it ultimately happens is up to people who understand things better 
than I do, but what whould be lovely to see would be:

1) a way to install rootcerts in sysinst

2) a way to install them post-install, and/or update them

3) an easy way for people who have reasons to be deliberate to allow /
   block certain certs so that updates don't undo their work


We used to have sup [1] which allowed less technical (or more lazy) people 
to simply update certain things, and I think it's a shame it went away 
without a decent replacement. But I think we can all agree that people who 
use NetBSD trust NetBSD.org servers as a source for updates, and since the 
OS has ssh fingerprints for various NetBSD servers, it stands to reason 
that a set of usable rootcerts (with an option to be selective) be offered 
by NetBSD. But which tool can people use to get these updates from NetBSD 
via ssh?

(a tangent: if we move to Mercurial and turn off the CVS servers, we'll 
completely lose the ability to update source trees without installing 
packages... not a fan of the idea)

I recently had a fun time trying to explain to someone what to do when 
they got this when trying to fetch (from cdn.NetBSD.org!) using ftp on a 
new system:

Trying 151.101.209.6:443 ...
18446744073709551615:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1919:
ftp: Can't connect to `cdn.netbsd.org:https'

A quick look at ftp(1), searching for "cert", shows:

     https://[user[:password]@]host[:port]/path
           An HTTPS URL, retrieved using the HTTPS protocol.  If set
           https_proxy is defined, it is used as a URL to an HTTPS proxy
           server.  If HTTPS authorization is required to retrieve path, and
           user (and optionally password) is in the URL, use them for the
           first attempt to authenticate.  There is currently no certificate
           validation and verification.

"There is currently no certificate validation and verification." needs to 
be fixed, because obviously that changed.

Further down:

     FTPSSLNOVERIFY
                    Set to 1 to not verify SSL certificates.

It's not immediately apparent to a beginner that one needs to "export 
FTPSSLNOVERIFY=1"; there really should be a command line option to ftp 
that does this.

Perhaps, if nothing else, NetBSD should ship with at least the minimum 
rootcerts needed so that NetBSD.org certificates work, which would then 
make it possible to safely fetch, whether by base set or pkgsrc, a full 
set of rootcerts?

John


[1] https://man.netbsd.org/NetBSD-9.2/sup.1