-
Notifications
You must be signed in to change notification settings - Fork 170
OSX: Pull certs from Keychain #140
Comments
Just wondering, is there a specific problem you're experiencing? E.g., you have a custom CA at your organization which everyone configures in their keychains? Sadly, the "real" OpenSSL/OS X integration only exists as a patch that Apple applies to OpenSSL and either didn't submit upstream or hasn't been merged. The same is true on Windows, integration with the Windows certificate store was contributed to OpenSSL but was not merged (I don't know the reason for that). In order to really do the right thing, we want to constantly be using the updated CRLs that you get in OS updates from your vendor (and also replacements for expired certificates, etc.). The problem with Homebrew's approach (our current approach of bundling Mozilla's CA bundle has the same issue) is that you need to be periodically checking for CRL updates or else you can be vulnerable to stolen certs. But that requires us to install a cronjob or something which seems a bit invasive. |
It is because we have an in house CA cert. What would really solve this is if Ruby used apple's own SSL library instead of OpenSSL. I imagine windows has something similar. Homebrew has |
AFAIK, As for Ruby using Apple's OpenSSL, it's too old, at least on some of the versions of OS X we (intend to) support. I know Apple has a different SSL library, but adding support for that in ruby isn't something we (Chef engineering) could really do. |
I didn't mean apple's OpenSSL. It's junk. I meant the new stuff. Huh. I'll have to double check. I thought |
I'm tempted to close this unless we can come up with a way to non-intrusively (i.e., no cron jobs) pull down certs from the host OS and keep things updated. Did you get anywhere with your research? |
Yeah. But you should document the environment variable to override the default CAs. |
Docs added here: http://docs.chef.io/chef_client_security.html#ssl-cert-file |
👍 |
On OSX the authoritative source of certificates is the Keychain.
You can pull them out with:
You can see how Homebrew deals with certificates by looking at the openssl formula.
Currently, you can work around this by symlinking the Homebrew
cert.pem
into ChefDK's embedded directory.It'd be nice if this "Just Worked" out of the box.
PS: I imagine most of the other systems where you ship with your own OpenSSL also have this problem (e.g. windows).
The text was updated successfully, but these errors were encountered: