Re: controlling the location of server-side SSL files

On Tuesday, February 7, 2012, Peter Eisentraut wrote:

> On tis, 2012-01-24 at 22:05 +0200, Peter Eisentraut wrote:
> > > > One thing that is perhaps worth thinking about: Currently, we just
> > > > ignore missing root.crt and root.crl files. With this patch, we
> still
> > > > do this, even if the user has given a specific nondefault location.
> > > > That seems a bit odd, but I can't think of a simple way to do it
> better.
> > >
> > > There's a review in the CF app for this finding only minor issues, so
> > > I'm marking this patch therein as "Ready for Committer".
> >
> > OK, no one had any concerns about the missing file behavior I
> > described above? If not, then I'll commit it soon.
>
> I'm still worried about this. If we ignore a missing root.crt, then the
> effect is that authentication and certificate verification might fail,
> which would be annoying, but you'd notice it soon enough. But if we
> ignore a missing root.crl, we are creating a security hole.
>

Yes, ignoring a missing file in a security context is definitely not good.
It should throw an error.

We have a few bad defaults from the old days around SSL for this, but if it
requires breaking backwards compatibility to get it right, I think we
should still do it.

My best idea at the moment is that we should set these parameters to
> empty by default, and make users point them to existing files if they
> want to use that functionality. Comments?
>

+1. Anybody who actually cares about setting up security is likely not
going to rely on defaults anyway - and is certainly going to review
whatever they are. So there should be no big problem there.

//Magnus

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/