Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534394 - net-misc/tlsdate-0.0.6 defaults to CA store removed in ebuild
Summary: net-misc/tlsdate-0.0.6 defaults to CA store removed in ebuild
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SpanKY
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-03 00:13 UTC by gentoo-bugzilla
Modified: 2015-02-14 04:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
tlsdate-0.0.6-cacert.patch (tlsdate-0.0.6-cacert.patch,633 bytes, patch)
2015-01-11 15:43 UTC, René Rhéaume 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description gentoo-bugzilla 2015-01-03 00:13:23 UTC 
The solution to https://bugs.gentoo.org/show_bug.cgi?id=446426 breaks the default cert directory used by tlsdate-0.0.6.
The man page states that the default value for the -C | --certdir option is /etc/ssl/certs. This is incorrect, but may have been correct at the time #446426 was reported.
The actual default value is defined in Makefile.am:119
> #define TLSDATE_CERTFILE "$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf"

The solution used for #446426 was to include the following in src_install():
> rm -r "${ED}"/etc || die
This obviously removes the default TLSDATE_CERTFILE.

I've verified that tlsdate's Makefile installs it, but haven't updated the ebuild myself yet. Simply removing the line above should fix the default behaviour for 0.0.6.


The easiest workaround is to explicitly specify a cert directory, i.e.:
> tlsdate -C /etc/ssl/certs/

Reproducible: Always

Steps to Reproduce:
Run tlsdate without arguments
Actual Results:  
tlsdate fails with:
> Unable to stat CA certficate container
> child process failed in SSL handshake

Expected Results:  
TLS time retrieval using default config
Comment 1 René Rhéaume 2015-01-11 15:43:42 UTC 
Created attachment 393694 [details, diff]
tlsdate-0.0.6-cacert.patch

Patch for Makefile.am to point to the default system configuration.

To use it, add the epatch line before eaureconf in src_prepare() to the ebuild.
Comment 2 Hanno Böck gentoo-dev 2015-01-29 21:12:13 UTC 
I don't like that solution very much, I think it decreases the security to what we currently have (in 0.0.12-r1).

Our current setting just symlinks to the specific root used by google.com which we have as the default in tlsdate. This means a fake certificate issued by another root cannot attack the connection.

It is a common issue with the CA system that there are "too many untrustwothy CAs", so I would prefer not to default to trusting all of them. Given that usually you don't need to connect to different timeservers I find it sane to default to configuring just one root.
Comment 3 SpanKY gentoo-dev 2015-01-30 02:17:54 UTC 
(In reply to Hanno Boeck from comment #2)

i don't think tlsdate is the place to enforce these policies.  if a CA is untrustworthy, then having it in the system store affects every app.  a secure clock is hardly the biggest problem to worry about.  Gentoo has a system set of certs it ships, and all apps should be using that out of the box.

if you want to be paranoid here, tlsdate has a -C option you can leverage.
Comment 4 SpanKY gentoo-dev 2015-02-14 04:54:36 UTC 
should be all set now in the tree; thanks for the report!

Commit message: Use the whole system cert store rather than hardcoding a specific CA
http://sources.gentoo.org/net-misc/tlsdate/tlsdate-0.0.12-r2.ebuild?rev=1.1