opnsense
System: Trust: Authorities - cleanup openssl trust store
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
Currently we flush a combined certificate store to the following locations:
- /etc/ssl/cert.pem
- /usr/local/etc/ssl/cert.pem
- /usr/local/openssl/cert.pem
But in our code when we need a combined store (in cases where openssl doesn't use the regular hashes), we only use /etc/ssl/cert.pem. as we expect the trust store to use the files certctl created, I would like to suggest to only write the combined store to a location not being used by default and cleanup the callers on our end.
This would mean we forcefully remove /etc/ssl/cert.pem and /usr/local/openssl/cert.pem when they exist and replace our references to /etc/ssl/cert.pem with /usr/local/etc/ssl/cert.pem.
Since we force all files to be in sync at the moment, there is no immediate issue, but for transparency it would help if our trust store would be a well defined singular container.
To Reproduce
truss /usr/local/bin/openssl s_client -servername my.domain.to.check -connect my.domain.to.check:443 < /dev/null
(or openssl for the base version)
and inspect the output, the associated hash in the certs directory won't be used in this case.
Expected behavior
use the rehash output of certctl
Describe alternatives you considered
Keep as is, with the downsides of having multiple copies.
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.7.x (amd64).
