Ruediger Meier wrote:
On Friday 26 July 2013, Ludwig Nussel wrote:
Ruediger Meier wrote:
today I wanted to install globally a custom ca-certificate (actually just the ca-certificates-cacert rpm package). I found that it's a bit annoying that this is not easily possible since different programs are using different paths to look for ca certificates and we have a lot duplicated certs installed
For example we have some packages giving us some certificates ca-certificates-mozilla: /usr/share/ca-certificates/mozilla/ kdelibs3: /opt/kde3/share/apps/kssl/ca-bundle.crt kdelibs4: /usr/share/kde4/apps/kssl/ca-bundle.crt (They all have more less the same content.)
Those KDE bundles shouldn't exist. They are from 2009 so horribly out of date. If you find such cases feel free to file bug reports.
My question is, couldn't we do that per default? So that installing custom ca-certificates globally would affect hopefully all possible programs.
I'm currently working on that for 13.1¹. Applications are expected to call SSL_CTX_set_default_verify_paths() resp gnutls_x509_trust_list_add_system_trust() to make them use the system certificate store. No package should hardcode /etc/ssl/certs or any bundle file anymore. NSS applications like Firefox need no change. Just install p11-kit-nss-trust instead of mozilla-nss-certs.
Ok, now I've tried out the new p11-kit* and ca-certificates* packages. It works pretty well but I have a few issues:
Thanks for testing, much appreciated!
1. It's not nice that /etc/ssl/openssl.cnf is disabled right now. I understand that you want to reduce the Factory packages which are using it. But it's unusable for users who need it. Actually this is completely against the idea to unify the certs stuff and to make it easier to use.
I guess you meant /etc/ssl/ca-bundle.pem? I removed it after I found several packages in Factory that use it despite the clear instructions not to do that inside the file.
2. Shouldn't /usr/share/ca-certificates still be parsed for compatibility. What if users have installed custom certs there?
Since packaging extra certs was of limited use before I ignored that case so far. I'm actually more worried about /etc/ssl/certs. Ideally it should be replaced by a read only bind mount to /var/lib/ca-certificates/pem but I fear that admins put certs there (that are now completely ignored).
3. Is it correct that ca-certificates-cacerts are installed in /usr/share/pki/trust/anchors/ but ca-certificates-mozilla above in /usr/share/pki/trust/
Yes. Certificates in the "anchors" subdirectory are automatically trusted whereas one level above the certificates need to have trust flags attached to them to be considered (dis)trusted. The Mozilla certs all have (dis)trust bits set. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org