[OmniOS-discuss] CA certs redux

Theo Schlossnagle jesus at omniti.com
Sat Nov 3 08:30:35 EDT 2012 

On Fri, Nov 2, 2012 at 10:57 PM, Paul B. Henson <henson at acm.org> wrote:
> On 11/2/2012 6:40 PM, Theo Schlossnagle wrote:
>
>> I think we'd still want a unified file somewhere.  Several apps want
>> to load all known CAs in one go, and that is a bit easier from a
>> file.
>
>
> Hmm, true; having both is probably best.
>
>
>> I think this does the trick:
>
>
> Cool, thanks. I'm not sure what changed between the previous stable and this
> one, but it looks like openssl (or at least wget) isn't looking for the
> individual hashed files anymore:
>
> # truss wget https://www.csupomona.edu/ 2>&1 | grep /usr/ssl
> open64("/usr/ssl/cert.pem", O_RDONLY)           = 3

Wget always acts this way. If it finds the cert.pem, it stops.  If you
remove that file, it will next stat a file in /usr/ssl/certs/.

This works on bloody.

> So just putting them there might not change anything, wget will continue to
> use the single file version. If you just use 'openssl s_client' it doesn't
> even appear to have a default location, you always have to specify -CAfile
> or -CApath, so maybe it's a different version of wget with a different
> default openssl configuration? I no longer have my previous stable install
> to poke at so I'm not sure exactly. Even if I explicitly tell wget to use a
> certificate directory it still seems to just use the single file:
>
> # truss wget --ca-directory=/usr/ssl/certs https://www.csupomona.edu/ 2>&1 |
> grep /usr/ssl
> open64("/usr/ssl/cert.pem", O_RDONLY)           = 3
>
> Dunno 8-/. Other than wget not appearing to look for them, your diff looks
> good to me as far as creating them and making them available.
>
> One pedantic concern is that the mozilla nss library includes its own
> bundled version of CA certs, which would potentially be different than
> these? That probably won't be a problem in practice though.

That concern is a real concern.  It certainly violats the principle of
least surprise.

> A different question, why put stuff in /usr/ssl? It looks like there are the
> certificates (which will now be linked to /etc/ssl), man pages (which aren't
> in the default man path and thus not found), a misc directory with the CA
> stuff in it, and an empty private directory.
>
> If openssl is configured to look directly in /etc/ssl, the man pages were
> installed in /usr/share/man, that just leaves the CA directory and the empty
> private directory. It looks like at least some linux distributions dump the
> CA directory in /etc/ssl, another possibility would be /usr/share/openssl.
> I'm not sure what typically goes in the private directory? There's nothing
> in that directory on any of my stuff.

Configuring openssl to live in /usr/ssl (which I believe is correct)
and operate on configurations in /etc/ssl is actually a pain.  That
stuff is hard coded in C

./crypto/cryptlib.h:#define X509_CERT_DIR               OPENSSLDIR "/certs"
./crypto/cryptlib.h:#define X509_CERT_FILE              OPENSSLDIR "/cert.pem"

And OPENSSLDIR influences a lot more than just those two paths.  So,
unless there is a serious issue, I think the softlink back to
/etc/ssl/... is simple and least intrusive.

> Anyway, thanks much for tuning up the certificate directory. Other than
> that, the last three paragraphs were just design idealism ;).


-- 
Theo Schlossnagle

http://omniti.com/is/theo-schlossnagle

More information about the OmniOS-discuss mailing list