The solution to https://bugs.gentoo.org/show_bug.cgi?id=446426 breaks the default cert directory used by tlsdate-0.0.6. The man page states that the default value for the -C | --certdir option is /etc/ssl/certs. This is incorrect, but may have been correct at the time #446426 was reported. The actual default value is defined in Makefile.am:119 > #define TLSDATE_CERTFILE "$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf" The solution used for #446426 was to include the following in src_install(): > rm -r "${ED}"/etc || die This obviously removes the default TLSDATE_CERTFILE. I've verified that tlsdate's Makefile installs it, but haven't updated the ebuild myself yet. Simply removing the line above should fix the default behaviour for 0.0.6. The easiest workaround is to explicitly specify a cert directory, i.e.: > tlsdate -C /etc/ssl/certs/ Reproducible: Always Steps to Reproduce: Run tlsdate without arguments Actual Results: tlsdate fails with: > Unable to stat CA certficate container > child process failed in SSL handshake Expected Results: TLS time retrieval using default config
Created attachment 393694 [details, diff] tlsdate-0.0.6-cacert.patch Patch for Makefile.am to point to the default system configuration. To use it, add the epatch line before eaureconf in src_prepare() to the ebuild.
I don't like that solution very much, I think it decreases the security to what we currently have (in 0.0.12-r1). Our current setting just symlinks to the specific root used by google.com which we have as the default in tlsdate. This means a fake certificate issued by another root cannot attack the connection. It is a common issue with the CA system that there are "too many untrustwothy CAs", so I would prefer not to default to trusting all of them. Given that usually you don't need to connect to different timeservers I find it sane to default to configuring just one root.
(In reply to Hanno Boeck from comment #2) i don't think tlsdate is the place to enforce these policies. if a CA is untrustworthy, then having it in the system store affects every app. a secure clock is hardly the biggest problem to worry about. Gentoo has a system set of certs it ships, and all apps should be using that out of the box. if you want to be paranoid here, tlsdate has a -C option you can leverage.
should be all set now in the tree; thanks for the report! Commit message: Use the whole system cert store rather than hardcoding a specific CA http://sources.gentoo.org/net-misc/tlsdate/tlsdate-0.0.12-r2.ebuild?rev=1.1