pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/58942: The GNUTLS package doesn't use system-wide CA certs



The following reply was made to PR pkg/58942; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: dpirate%metalpunks.info@localhost
Cc: gnats-bugs%NetBSD.org@localhost, pkgsrc-bugs%NetBSD.org@localhost
Subject: Re: pkg/58942: The GNUTLS package doesn't use system-wide CA certs
Date: Sat, 28 Dec 2024 16:56:16 +0000

 This happens because:
 
 DEPENDS+=3D	mozilla-rootcerts-[0-9]*:../../security/mozilla-rootcerts
 ...
 CONFIGURE_ARGS+=3D	--with-default-trust-store-file=3D${PREFIX}/share/mozill=
 a-rootcerts/cacert.pem
 
 This is wrong for two reasons:
 
 1. it doesn't provide any way to override the decision, because
    ${PREFIX}/share/mozilla-rootcerts/cacert.pem is part of a package
    rather than editable configuration; and
 
 2. it doesn't respect OS-specific certificate stores, like
    /etc/openssl/certs on NetBSD or /etc/pki/tls on various Linux
    systems.
 
 What this really should do is follow logic somewhat like what's in
 security/openssl/builtin.mk for the OS's certificate store, in order
 to determine that the correct path on NetBSD is
 /etc/openssl/certs/ca-certificates.crt (as used by certctl(8) in
 NetBSD>=3D10 and by the security/ca-certificates or
 security/mozilla-rootcerts packages in older versions).
 
 Unfortunately, security/openssl/builtin.mk is obviously specific to
 OpenSSL -- and doesn't get the right path to the single-file bundle
 used by GnuTLS (but it gets the right path to the hashed certificate
 directory used by OpenSSL).
 
 So I think we should create a new mk/ssl.mk or mk/ssltrustanchors.mk
 or mk/sslcacerts.mk or something to place this logic properly, and use
 it consistently both for GnuTLS and for OpenSSL -- and consider
 pulling up either that or a more narrowly scoped stop-gap measure to
 2024Q4, since this is a security risk when certctl(8) is supposed to
 be able to promptly _distrust_ a CA in cases like the Digi-Notar
 incident.
 
 I found a handful of other packages that likely have the same issue,
 with hard-coded references to share/mozilla-rootcerts:
 
 lang/python27
 security/botan3
 security/p11-kit
 security/qca2-qt5
 security/qca2
 sysutils/bsdec2-image-upload
 


Home | Main Index | Thread Index | Old Index