[OmniOS-discuss] ssl root CA certs

Paul B. Henson henson at acm.org
Fri Oct 12 19:11:02 EDT 2012 

On 10/12/2012 8:53 AM, Eric Sproul wrote:

> I found where the CA certs live in illumos-gate:
> http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/cmd-crypto/etc/CA-certs/
[...]
> this collection almost certainly contains stale data.  Given that, do
> we still want to encourage the use of that set or just point apps at
> /etc/cacert.pem which is more up to date?

It looks like the ones bundled in illumos-gate also come from Mozilla, 
by way of being extracted from libnssckbi.so. OI and OmniOS both include 
that library, but it doesn't seem to be part of illumos-gate? At least I 
couldn't find it. So I guess that's a distribution value added package 
;). In theory it seems it would be good for the libnssckbi.so hardcoded 
certificates to match the external certificates, so applications don't 
do different things depending on whether or not they use NSS or openssl.

I was going to say that if somebody was going to go to the trouble of 
updating CA certs, they might as well do it in upstream illumos-gate so 
all distributions can avail of it. However, if NSS is added per 
distribution, that would make it pretty difficult to keep them synced 
up. If root CA's are going to be maintained by the distribution, it 
would seem better for illumos-gate to simply not include any at all, 
again so as not to have a different set pending on where you look. The 
illumos bundled CA's also include a couple from Sun which are presumably 
owned by Oracle now, I'd just as soon not have my omnios box trusting 
Oracle for anything 8-/.

I think I will bring this up on the illumos developer list and see what 
comes of it. My initial thoughts now are that root CA's should just be 
dropped out of illumos-gate and handled at the distribution level, that 
way there'll be no confusion or mismatch.

On another note, I think it's a lot more efficient to have a directory 
full of hashes to individual certificates rather than one big file full 
of all of them. In the first case, openssl can pretty much immediately 
find what it wants (or determine it doesn't exist), and the second it 
has to read the entire file and search for it. It looks like the 
upstream certs have those hashes already in /etc/openssl/certs. Rather 
than configuring curl and/or wget to point to the big file, it seems it 
would be better to set up the hashed directory and have the openssl 
library configured to find it, so all openssl apps would work the same 
by default...

More information about the OmniOS-discuss mailing list