-
Story
-
Resolution: Unresolved
-
Major
-
rhel-10.0
-
ca-certificates-2024.2.69_v8.0.303-101.2.el10
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
29
-
5
-
False
-
-
Yes
-
Red Hat Enterprise Linux
-
Crypto24Q3
-
Approved Exception
-
- /etc/pki/tls/cert.pem is absent or empty.
- /etc/pki/tls/certs contains the files created by c_rehash.
- User files in /etc/pkit/tls/certs are preserved and not deleted when update-ca-trust runs
-
Pass
-
None
-
Removed Functionality
-
-
Done
-
None
Goal
As a user of an application using OpenSSL, I do not want to pay the startup cost of OpenSSL loading the set of trusted certificates from /etc/pki/tls/cert.pem on every startup, and want to instead rely on the on-demand check of files in /etc/pkit/tls/certs/<hash>.<number>.
Acceptance Criteria
- /etc/pki/tls/cert.pem is absent or empty.
- /etc/pki/tls/certs contains the files created by c_rehash.
- User files in /etc/pkit/tls/certs are preserved and not deleted when update-ca-trust runs
To implement this, consider creating the directory hash export format in a separate directory (e.g., /etc/pki/ca-trust/extracted/pem/directory-hash) followed by a script that removes all files matching ^[0-9a-f]\.\d+$ from /etc/pki/tls/certs and creates symlinks for every such entry in /etc/pki/ca-trust/extracted/pem/directory-hash.
Alternatively, consider making /etc/pki/tls/certs a symlink to a different location - note that this has consequences for the leapp upgrade from RHEL 9 to 10, so would have to come with an appropriate leapp actor to address this.
- links to
-
RHBA-2024:137742 ca-certificates bug fix and enhancement update
-
RHBA-2024:140078 ca-certificates bug fix and enhancement update