On 11/11/2016 05:49 AM, Pierre Labastie wrote:
On 11/11/2016 07:54, DJ Lucas wrote:
On 11/10/2016 01:24 AM, DJ Lucas wrote:
As far as I can tell, the only remaining thing brought up in the
previous thread was how to obtain and verify the file. I do like using
the release branch as the default source (with version info as provided
by Bruce's script on Anduin). Bruce, what do you think about signing
that file for verification? Or even automatically updating the date and
md5sum of the file in the book -- changelog would need to be skipped I
think, but with that little concession, it should be reasonably easy to
do from cron.
Still need to address the above,
I think that has been addressed by providing the additional download
links from upstream VCS and mentioning the included copies with the
Mozilla products.
but a completed script is located here:
http://www.linuxfromscratch.org/~dj/make-ca.sh
A small improvement: test whether /etc/ssl/local exists before running
"for cert in `find /etc/ssl/local -name "*.pem"`". It throws an error if
the directory does not exist.
Got that, along with others.
Okay, so using libp11-kit.so as a replacement for libnssckbi.so works
really well once stuff is setup as it should be. No need to change
configuration of Mozilla products. Unfortunately, that adds in a fifth
certificate store, and exposed additional functionality that we had
previously ignored for OpenSSL. Needless to say, this has been far more
complex than initially anticipated, but I learned a fair bit. I was
about ready to suggest using RedHat's solution verbatim!
Fortunately, I think I have something that covers all of the possible
use cases with the only dependency being OpenSSL. I do have some
reservation about putting a 300+ line script into the book (it'll be a
download, not inline), but I feel that's better than trying to explain
every possible detail in the cacerts page, or worse, scatting this info
on multiple pages.
Anyway, it's complicated (but far less so than it was at this date in
2013), and I'm glad I was pissy about the perl script! I've now learned
more than I care to know. :-) I've made the new script as simple as I
can see to do so without loosing any of the info provided to us by
Mozilla. I don't see any way to make it easier to understand, so I would
very much appreciate eyes on it. I've ran the script in every possible
configuration I can come up with, probably around 50 times at best guess
(maybe closer to 100, IDK).
https://wiki.mozilla.org/CA:Root_Store_Trust_Mods (Thanks Wayne)
contains some additional information that is yet unaccounted for.
Neither OpenSSL nor GnuTLS have mechanisms for EV, nor any mechanism to
distrust based on issue date < Not After, or a particular TLD that I am
aware of (I could certainly be wrong about this).
My best suggestion, without digging in too deep would be to toggle all
three trust bits to null or reject for CNNIC on April 15, 2017, and to
simply ignore the other two. Also, although not mentioned,
WoSign/StartCom probably have the same fix in PSM as for CNNIC, same
solution except the date will be October 1st 2017. Browsers still use
the PSM and are fine. Optionally we could set null on all six now and
break GnuTLS for these sites. Browsers will give a warning but allow you
to bypass in that case (and give me the excuse I need to justify the
time to make the switch to LE from StartCom). IDK, maybe we should
revisit the idea of providing a certificates package with links to the
tools we use?
Book patch is here - important as wget will be broken until configured
to use the ca-bundle.crt (it probably always should have been):
http://www.linuxfromscratch.org/~dj/BLFS-cacerts-new.patch
And new script (replaced the old) is here:
http://www.linuxfromscratch.org/~dj/make-ca.sh
--DJ
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
