On 10/14/2011 02:21 PM, Bruce Dubbs wrote: > This is mostly for DJ. > > I think we should add information to the BLFS openssl page on how to > create a ca bundle. I tried looking at some older messages, but > cvs.fedoraproject.org no longer exists. > > I can find a list from debian. > > RH wants to put the files in /etc/pki. > > openssl puts them in /etc/ssl/certs. > > My questions are: > > 1. What procedure is used to generate the BLFS-ca-bundles? As discussed in the BLFS support thread started by Andrew, I use a script (probably similar to the one included with curl) to grab certdata.txt from Mozilla. It is then sanitized on the fly (meaning that expired and invalid certificates are removed from the distributed tarball). The original python script used for BLFS was obtained from RedHat and then later changed to a perl script obtained from Fedora (modified by me for BLFS use) that nixed the bad certs. The one bad cert (a test case of a hash collision that allows invalid certs to be created) will not be removed from certdata.txt, but should be removed from the system CA certs. Also, the security team is a little slow in process to remove expired certs at Mozilla, which should also be removed. The script used to generate the ca-bundle used in BLFS is located in BLFS/auxfiles/mkblfsca.sh which calls BLFS/auxfiles/mkcert.pl.
As far as rationale, the instructions to install the certificates should probably be moved to their own page as they can be used without OpenSSL. OpenSSL runs the crehash script on them (which is pretty much useless as I rename them with the hash value anyway so that we don't have any issue with non-utf8 locales). I have been using the certdata.txt from the released version of NSS to generate the tarball and it is named using the version string of NSS from which certdata.txt comes. Packages that use the certs directly need to be made aware of the location of the certificates. Most can use both a directory of certificates and a bundle file, but some packages can use only the bundle when used with gnutls as the SSL implementation. Using a directory makes it easy for a user to add certificates that they trust, but are not necessarily trusted by the community (In BLFS it was decided to depend solely on Mozilla for certificate trust, and not to try and define our own policy). A bundle can then be updated from the certs directory. > 2. Should we continue to put them in /etc/ssl/certs or should we > consider another location? > > -- Bruce That location is generally searched for as well as /etc/ssl/ca-bundle.crt. I wouldn't move either. -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
