Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50293

ca-certificates should switch to pem directory hash format for OpenSSL consumption and stop producing /etc/pki/tls/cert.pem symlink

XMLWordPrintable

    • ca-certificates-2024.2.69_v8.0.303-101.2.el10
    • 1
    • sst_security_crypto
    • ssg_security
    • 29
    • 5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q3
    • Approved Exception
      • /etc/pki/tls/cert.pem is absent or empty.
      • /etc/pki/tls/certs contains the files created by c_rehash.
      • User files in /etc/pkit/tls/certs are preserved and not deleted when update-ca-trust runs
    • Pass
    • None
    • Removed Functionality
    • Hide
      Use with caution! Removals should only happen between major releases.

      Description (describe the discontinued feature): /etc/pki/tls/certs trust store will be converted to a different format optimized for OpenSSL consumption
      Consequence (describe the recommended replacement, if applicable): direct users of files in /etc/pki/tls/certs should switch to consuming the same data from /etc/pki/ca-trust/extracted. For examples, software accessing the trust bundle at /etc/pki/tls/certs/ca-bundle.crt should switch to using /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem instead.
      Show
      Use with caution! Removals should only happen between major releases. Description (describe the discontinued feature): /etc/pki/tls/certs trust store will be converted to a different format optimized for OpenSSL consumption Consequence (describe the recommended replacement, if applicable): direct users of files in /etc/pki/tls/certs should switch to consuming the same data from /etc/pki/ca-trust/extracted. For examples, software accessing the trust bundle at /etc/pki/tls/certs/ca-bundle.crt should switch to using /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem instead.
    • Proposed
    • None

      Goal

      As a user of an application using OpenSSL, I do not want to pay the startup cost of OpenSSL loading the set of trusted certificates from /etc/pki/tls/cert.pem on every startup, and want to instead rely on the on-demand check of files in /etc/pkit/tls/certs/<hash>.<number>.

      Acceptance Criteria

      • /etc/pki/tls/cert.pem is absent or empty.
      • /etc/pki/tls/certs contains the files created by c_rehash.
      • User files in /etc/pkit/tls/certs are preserved and not deleted when update-ca-trust runs

      To implement this, consider creating the directory hash export format in a separate directory (e.g., /etc/pki/ca-trust/extracted/pem/directory-hash) followed by a script that removes all files matching ^[0-9a-f]\.\d+$ from /etc/pki/tls/certs and creates symlinks for every such entry in /etc/pki/ca-trust/extracted/pem/directory-hash.

      Alternatively, consider making /etc/pki/tls/certs a symlink to a different location - note that this has consequences for the leapp upgrade from RHEL 9 to 10, so would have to come with an appropriate leapp actor to address this.

            fkrenzel František Krenželok
            cllang@redhat.com Clemens Lang
            František Krenželok František Krenželok
            Alexander Sosedkin Alexander Sosedkin
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: