Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50293

ca-certificates should switch to pem directory hash format for OpenSSL consumption and stop producing /etc/pki/tls/cert.pem symlink

    • ca-certificates-2024.2.69_v8.0.303-101.2.el10
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 29
    • 5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q3
    • Approved Exception
      • /etc/pki/tls/cert.pem is absent or empty.
      • /etc/pki/tls/certs contains the files created by c_rehash.
      • User files in /etc/pkit/tls/certs are preserved and not deleted when update-ca-trust runs
    • Pass
    • None
    • Removed Functionality
    • Hide
      .`ca-certificates` trust store moved

      The `/etc/pki/tls/certs` trust store is converted to a different format better optimized for OpenSSL. As a consequence, if you use the files in `/etc/pki/tls/certs` directly, switch to the `/etc/pki/ca-trust/extracted` directory, where the same data is stored. For example, software that accesses the trust bundle at `/etc/pki/tls/certs/ca-bundle.crt` should switch to using `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` instead.
      Show
      .`ca-certificates` trust store moved The `/etc/pki/tls/certs` trust store is converted to a different format better optimized for OpenSSL. As a consequence, if you use the files in `/etc/pki/tls/certs` directly, switch to the `/etc/pki/ca-trust/extracted` directory, where the same data is stored. For example, software that accesses the trust bundle at `/etc/pki/tls/certs/ca-bundle.crt` should switch to using `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` instead.
    • Done
    • None

      Goal

      As a user of an application using OpenSSL, I do not want to pay the startup cost of OpenSSL loading the set of trusted certificates from /etc/pki/tls/cert.pem on every startup, and want to instead rely on the on-demand check of files in /etc/pkit/tls/certs/<hash>.<number>.

      Acceptance Criteria

      • /etc/pki/tls/cert.pem is absent or empty.
      • /etc/pki/tls/certs contains the files created by c_rehash.
      • User files in /etc/pkit/tls/certs are preserved and not deleted when update-ca-trust runs

      To implement this, consider creating the directory hash export format in a separate directory (e.g., /etc/pki/ca-trust/extracted/pem/directory-hash) followed by a script that removes all files matching ^[0-9a-f]\.\d+$ from /etc/pki/tls/certs and creates symlinks for every such entry in /etc/pki/ca-trust/extracted/pem/directory-hash.

      Alternatively, consider making /etc/pki/tls/certs a symlink to a different location - note that this has consequences for the leapp upgrade from RHEL 9 to 10, so would have to come with an appropriate leapp actor to address this.

              fkrenzel František Krenželok
              cllang@redhat.com Clemens Lang
              František Krenželok František Krenželok
              Alexander Sosedkin Alexander Sosedkin
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: