mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Bruno Thomsen <bth@kamstrup.com>
To: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Cc: Bruno Thomsen <bth@kamstrup.com>
Subject: Re: [ptxdist] [PATCH] libcurl: Added an option set to compile libcurl with optional builtin CA certificate default directory or builtin CA certificate default bundle file.
Date: Fri, 10 Apr 2015 13:40:27 +0000	[thread overview]
Message-ID: <915054555B5659448ACF8A70E114824D01984F9AFB@Exchange2010.kamstrup.dk> (raw)
In-Reply-To: <20150409152728.GH9865@pengutronix.de>

> > > Any reason, why these paths should be configurable?
> > 
> > /etc/ssl/certs seems to be the most common path to store certificates in.
> > However, we maintain RedHat servers here which use different paths by 
> > default. That's the reason why I made it configurable.
>
> Ok.

I think it's okay to make it configurable.

Ubuntu uses /usr/share/ca-certificates/ so it seems to be very distribution specific.

> > > And we need a package that provides those files, right?
> > 
> > In my opinion, such a package is nothing for the general ptxdist. It 
> > is highly project depending, at least in our company. We do not deploy 
> > a set of default CAs like you have it in the general purpose desktop 
> > or server distributions. For us it is very rare to have two projects 
> > with the same set of CA certificates.

The CA/Browser Forum (CA/B) has adopted new guidelines that deprecate internal server names and reserved IP addresses [1].
After November 1, 2015 certificates for internal names will no longer be trusted.

In other words the public CAs like DigiCert, VeriSign, etc. must only issue certificates to public internet domains with FQDNs.

This will cause an increase of private CAs when devices/servers only communicate on closed networks without internet access.

Inclusion of private CA trust chains is IMHO out of ptxdist scope.

But it's a completely different question if ptxdist should have an option to include a public CA bundle.
There are many use-cases where communication over the internet is useful in embedded devices.
The most obvious is a GSM/UMTS/LTE connected devices, since setting up a customer specific APN with VPN between server hosting and telecommunication company is rather costly.
So the embedded device connect with a standard "internet" APN, and gain NAT'ed internet access, where it can connect to a HTTPS or IPsec server that present a public signed certificate. So the embedded device only needs to be programmed with customer server FQDN and not a customer specific private CA certificate that might not be known at the time of product ordering.

> > Even if we add a certificates package, this should be more related to 
> > the openssl package itself than to the openssl user packages like curl.
> > 
> > Curl runs fine even if the default path (CA path or CA bundle) does 
> > not exist. It is just not finding proper certificates to validate 
> > SSL/TLS connections. This is the same behavior as today, where curl is 
> > configured to not look anywhere for matching certificates.
>
> To create a bundle we would need the script mk-ca-bundle.pl that comes with curl, right?

Yes.

> Bruno, if I apply this patch here, you could change your host-certdata package into a target package that installs the CA bundle itself. Would that make sense to you?

Okay, so I change the host-certdata package to a public-ca-bundle target package in the network section that selects LIBCURL_SSL_CABUNDLE and run the mk-ca-bundle.pl script from curl and install the result into LIBCURL_SSL_CABUNDLE_PATH.

/Bruno

[1] https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf


-- 
ptxdist mailing list
ptxdist@pengutronix.de

  reply	other threads:[~2015-04-10 13:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-02 21:18 Rüdiger, Christoph
2015-04-09  8:58 ` Michael Olbrich
2015-04-09 10:05   ` Rüdiger, Christoph
2015-04-09 15:27     ` Michael Olbrich
2015-04-10 13:40       ` Bruno Thomsen [this message]
2015-04-27  8:53         ` Michael Olbrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=915054555B5659448ACF8A70E114824D01984F9AFB@Exchange2010.kamstrup.dk \
    --to=bth@kamstrup.com \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox