Re: pkg/58143: security/gnutls uses wrong trust anchors

To: riastradh%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, campbell+netbsd%mumble.net@localhost
Subject: Re: pkg/58143: security/gnutls uses wrong trust anchors
From: "Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Mon, 30 Dec 2024 14:55:01 +0000 (UTC)

The following reply was made to PR pkg/58143; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost, pkgsrc-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/58143: security/gnutls uses wrong trust anchors
Date: Mon, 30 Dec 2024 14:50:31 +0000

 This is a multi-part message in MIME format.
 --=_zuuYtksK0C8RJaF9J8AwVVP/KZSlw/L+

 [followup previously sent to a duplicate of this PR]

 --=_zuuYtksK0C8RJaF9J8AwVVP/KZSlw/L+
 Content-Type: message/rfc822
 Content-Disposition: inline

 Date: Sat, 28 Dec 2024 16:56:16 +0000
 From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 To: dpirate%metalpunks.info@localhost
 CC: gnats-bugs%NetBSD.org@localhost, pkgsrc-bugs%NetBSD.org@localhost
 Subject: Re: pkg/58942: The GNUTLS package doesn't use system-wide CA certs
 Message-Id: <20241228165617.BDF0984EEF%mail.netbsd.org@localhost>
 MIME-Version: 1.0
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: quoted-printable

 This happens because:

 DEPENDS+=3D	mozilla-rootcerts-[0-9]*:../../security/mozilla-rootcerts
 ...
 CONFIGURE_ARGS+=3D	--with-default-trust-store-file=3D${PREFIX}/share/mozill=
 a-rootcerts/cacert.pem

 This is wrong for two reasons:

 1. it doesn't provide any way to override the decision, because
    ${PREFIX}/share/mozilla-rootcerts/cacert.pem is part of a package
    rather than editable configuration; and

 2. it doesn't respect OS-specific certificate stores, like
    /etc/openssl/certs on NetBSD or /etc/pki/tls on various Linux
    systems.

 What this really should do is follow logic somewhat like what's in
 security/openssl/builtin.mk for the OS's certificate store, in order
 to determine that the correct path on NetBSD is
 /etc/openssl/certs/ca-certificates.crt (as used by certctl(8) in
 NetBSD>=3D10 and by the security/ca-certificates or
 security/mozilla-rootcerts packages in older versions).

 Unfortunately, security/openssl/builtin.mk is obviously specific to
 OpenSSL -- and doesn't get the right path to the single-file bundle
 used by GnuTLS (but it gets the right path to the hashed certificate
 directory used by OpenSSL).

 So I think we should create a new mk/ssl.mk or mk/ssltrustanchors.mk
 or mk/sslcacerts.mk or something to place this logic properly, and use
 it consistently both for GnuTLS and for OpenSSL -- and consider
 pulling up either that or a more narrowly scoped stop-gap measure to
 2024Q4, since this is a security risk when certctl(8) is supposed to
 be able to promptly _distrust_ a CA in cases like the Digi-Notar
 incident.

 I found a handful of other packages that likely have the same issue,
 with hard-coded references to share/mozilla-rootcerts:

 lang/python27
 security/botan3
 security/p11-kit
 security/qca2-qt5
 security/qca2
 sysutils/bsdec2-image-upload

 --=_zuuYtksK0C8RJaF9J8AwVVP/KZSlw/L+--

Prev by Date: Re: pkg/58143 (security/gnutls uses wrong trust anchors)
Next by Date: Re: pkg/58143: security/gnutls uses wrong trust anchors
Previous by Thread: Re: pkg/58143: security/gnutls uses wrong trust anchors
Next by Thread: Re: pkg/58143: security/gnutls uses wrong trust anchors
Indexes:

Home | Main Index | Thread Index | Old Index