Bug 497788
Summary: | [RFE] way to load default root certificates | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kamil Dudka <kdudka> | ||||||||
Component: | nss_compat_ossl | Assignee: | Rob Crittenden <rcritten> | ||||||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | lkundrak, ovasik, rcritten, rrelyea | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | 0.9.5-2.fc11 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2009-05-02 16:35:32 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Kamil Dudka
2009-04-27 09:10:48 UTC
The pem module should be providing this capability by loading the OpenSSL CA bundle. Can you tell if the pem module not being loaded or is the bundle not being added? Created attachment 341434 [details]
strace output
The pem module seems to be loaded, but /etc/pki/tls/certs/ca-bundle.crt is not accessed - the strace output is attached. Should I change something within elinks code to load it?
Is elinks calling SSL_CTX_load_verify_locations() with the bundle? If not, I wonder how this works with OpenSSL. AFAIK not, though it works and loads the certificates from /etc/pki/tls/cert.pem. I'll look at it deeper tomorrow and report here. Thanks! It calls SSL_CTX_set_default_verify_paths() instead, which is not implemented by nss_compat_ossl. No problem for me to fix it within elinks by some #ifdef directives, but it might be reason to implement if elinks is not the only affected application. It isn't yet defined but it seems to me that the loading of libnssckbi.so you wrote fits the implementation perfectly. Bob, will we create problems if the root cert list is already loaded and we try to reload it? It seems to me that the load will fail and we won't have a handle to it. The downside is that we won't be able to differentiate between failures because the module is already loaded vs another reason for failure (not found, bad permissions, sun spots, etc). Can we use something like SECMOD_GetDBModuleList() to see if the root certs are already loaded? I'm not very familiar with that part of the API. There's an NSS call that tells you if a Builtin Root certs module is already loaded.... PRBool SECMOD_HasRootCert(). BTW on Fedora 12, I'm working to arrange that a number of databases, including the built-in root certs, are automatically loaded when you open /etc/pki/nssdb. bob BTW, you can also force root cert loading today from /etc/pki/nssdb by creating a symbolic link ln -s /usr/lib/libnssckbi.so /etc/pki/nssdb. This is a bit of a hack which we added serveral years ago to keep some servers happy. You can also use modutil to add libnsscki to /etc/pki/nssdb/secmod.db. Both of these options are user admin options, not really an option for applications. Ok, the HasRootCert() seems the way to go. We can't be sure that the database will be /etc/pki/nssdb, though we can make that the default at some point I guess. Whatever solution we come up with needs to work equally well when we do an NSS_Init("/path/to/database") and NSS_NoDBInit(). Created attachment 341689 [details]
Implement SSL_CTX_set_default_verify_paths()
This roughly takes Kamil's patch and stuffs it into SSL_CTX_set_default_verify_paths().
I changed the way the configstring is passed because NSS may modify the string (it parses internally).
Since we'll have 2 modules I also renamed mod to pemMod for clarity.
It tests out ok with elinks for me.
I've changed elinks to be able to load CA certificates from file in PEM format (to be consistent with the GnuTLS variant of elinks) by calling SSL_CTX_load_verify_locations(). And if the configuration option connection.ssl.trusted_ca_file is an empty string, it calls SSL_CTX_set_default_verify_paths() to load NSS default root certificates. It works now in both cases with your patch for nss_compat_ossl, built as elinks-0.12-0.15.pre3.fc12. Committed upstream: Sending ChangeLog Sending src/ssl.c Transmitting file data .. Committed revision 73. nss_compat_ossl-0.9.5-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/nss_compat_ossl-0.9.5-3.fc10 nss_compat_ossl-0.9.5-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/nss_compat_ossl-0.9.5-2.fc11 nss_compat_ossl-0.9.5-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/nss_compat_ossl-0.9.5-2.fc9 re comment 9. OK. if you open with No_DB_init, your only option is to hand load the module. For Fedora 12, we should change it to always open /etc/pki/nssdb (even if you continue to support loading other root certs through pem). That will allow us to use the work I'm doing in Fedora 12 to manage all the applications from a single point. bob nss_compat_ossl-0.9.5-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. nss_compat_ossl-0.9.5-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. nss_compat_ossl-0.9.5-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |