Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add trust option to CA settings... #1460

Closed
fabianfrz opened this issue Mar 9, 2017 · 9 comments
Closed

[FR] Add trust option to CA settings... #1460

fabianfrz opened this issue Mar 9, 2017 · 9 comments
Assignees
@fichtner
Labels
feature Adding new functionality
Milestone
19.7

Comments

@fabianfrz
Copy link
Member

fabianfrz commented Mar 9, 2017
edited
Loading

... which put the CA certificate into the local trust store.

Useful for

  • chaining TLS intercept proxies
  • Trust internal CAs in cURL commands
  • Use other CAs like CACert

etc.

Screenshot provided by @AndyX90 via opnsense/plugins#838:

Screenshot
@fichtner fichtner added the feature Adding new functionality label Mar 11, 2017
@fichtner fichtner added this to the 17.7 milestone Mar 11, 2017
@fichtner fichtner self-assigned this Mar 11, 2017
@fichtner
Copy link
Member

I like this, though were should trusted certificates land in the system to be automatically picked up?

@fabianfrz
Copy link
Member Author

Looks like the mozilla bundle is installed here: /usr/local/share/certs/

I don't know if it needs symlinks somewhere.

@fichtner fichtner modified the milestones: 18.1, 17.7 Jul 21, 2017
@fichtner fichtner added the help wanted Contributor missing / timeout label Dec 17, 2017
@fichtner fichtner modified the milestones: 18.1, 18.7 Dec 17, 2017
@NOYB
Copy link
Contributor

NOYB commented Dec 24, 2017

OpenSSL CAPATH hash directory is the way to go here. Makes managing the certs very easy and lookups very efficient. Already have code for managing the OpenSSL hash dir from the Web GUI to include CA's on a selected to be trusted basis. But OPNsense features need to utilize OpenSSL or it's pointless (dyndns, update url table aliases, etc.

@fabianfrz
Copy link
Member Author

A single file is very easy too because everything needed is:

cat *.pem > /path/to/file.pem

And it works even if the previously used file was already a bundle.

@NOYB
Copy link
Contributor

NOYB commented Dec 26, 2017

That is overly simplified.

c_rehash dir
is pretty easy too.

That method requires rewriting the entire bundle to remove a cert. Or a bunch of code to locate and snip it out of the bundle.

I've already done both methods and have code for managing both from the WebGUI. Much prefer the hash dir.

https://www.openssl.org/docs/manmaster/man1/c_rehash.html
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_load_verify_locations.html

@fichtner fichtner removed this from the 18.7 milestone Feb 27, 2018
@wols wols mentioned this issue Jun 23, 2018
Merged
@fichtner fichtner removed the help wanted Contributor missing / timeout label Jul 12, 2018
@fichtner fichtner added this to the 19.1 milestone Jul 12, 2018
@fichtner
Copy link
Member

as per discussion with @fabianfrz

  • ca_root_nss ETCSYMLINK option removal, roll our own /etc/ssl/certs.pem
  • curl CA_BUNDLE option hardcodes /usr/local/share/certs/ca-root-nss.crt
  • also check certifi, openssl, squid

@fabianfrz fabianfrz mentioned this issue Sep 12, 2018
Closed
@jpawlowski
Copy link

Please note that replacing the original /etc/ssl/certs.pem might have an impact on DNS-over-TLS validation where people might refer to that file to really secure DNS resolution in Unbound

@fichtner fichtner modified the milestones: 19.1, 19.7 Dec 30, 2018
@fabianfrz fabianfrz mentioned this issue Feb 3, 2019
Closed
@qinohe
Copy link

qinohe commented Feb 5, 2019
edited
Loading

Hi fabian, I'm using a self-signed chain for this and did not see a change in 19.1 it still sends it's daily backup to the cloud, so I'm not seeing this behavior and your tool (TOTP) still seems to do the job...

edit: there was an update for ca-root-nss, btw. ;)
sorry for quoting the wrong message...

@fichtner
Copy link
Member

fichtner commented Apr 9, 2019

Note to self: /usr/local/etc/ssl/cert.pem and /usr/local//openssl/cert.pem need to be rewritten for safety. UFS corruptions will block the sample files from fixing the file (size 0, but created). We should inject the local CA certificates as well. This only leaves /etc/ssl/cert.pem which is weirdly symlinked to the base ca-root-nss.crt file instead so it will miss our own certificates...

fichtner added a commit that referenced this issue Apr 18, 2019
@fichtner
system: cleanly rewrite CA root files, add our own; closes #1460
e182339 
(cherry picked from commit 59b913f)
(cherry picked from commit 3d46287)
(cherry picked from commit 241716e)
EugenMayer pushed a commit to KontextWork/opnsense_core that referenced this issue Jul 22, 2019
@fichtner @EugenMayer
system: cleanly rewrite CA root files, add our own; closes opnsense#1460
04c0872
EugenMayer pushed a commit to KontextWork/opnsense_core that referenced this issue Jul 22, 2019
@fichtner @EugenMayer
system: cleanly rewrite CA root files, add our own; closes opnsense#1460
c2add9f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
feature Adding new functionality
Milestone
19.7
Development

No branches or pull requests
5 participants
@jpawlowski @fichtner @NOYB @fabianfrz @qinohe