Synopsis
export PERL5LIB=-MMozilla::CA::Debian
# Now every perl code that uses Mozilla::CA will instead use your certificates from
# /etc/ssl/certs (kept up to date by the sysadmin) instead of the outdated Mozilla::CA
Description
Doc
Root certificates are a major component of TLS security. Many CPAN modules rely on Mozilla::CA
as a default, portable, list of root certificates.
But when relying on Mozilla::CA
, we rely on:
- the maintainer to release often to keep
Mozilla::CA
in sync with the Mozilla certificates list - the maintainer of the module to be trustable (no compromised certificates introduced)
- yourself or your sysadmin to keep your local copy of
Mozilla::CA
up to date with the latest CPAN release - the CPAN mirror from not being compromised to serve an altered version of
Mozilla::CA
- you can't use additional root certificates installed on your system that are not in Mozilla list (unless the application allow to use multiple certificate databases)
- you can't filter the Mozilla list to exclude some certificates
This is many risks while on a Debian system you already have a list of certificates that:
- you already trust for all tasks on your system
- is updated with other system packages
So Mozilla::CA::Debian replaces Mozilla::CA, providing the same interface (including hijacking the package name) but while using the certificates from /etc/ssl/certs.
Implementation
The implementation uses lazy loading to build the certificates file (Mozilla::CA exposes the certificate database while Debian exposes a directory of files) only when the VERSION is requested or when SSL_ca_file function is called.
It also allows both Mozilla::CA and Mozilla::CA::Debian to be installed in @INC
. Mozilla::CA::Debian will only be used if it is loaded first.
$Mozilla::CA::VERSION
reported will be the timestamp of the most recent file in /etc/ssl/certs
.
Status
The code is working. POD has to be written (probably will be copied from the block above).
Questions
- I'm not sure about the features. What other system use a directory of PEM files?
- I'm not sure about the name, as my implementation may work on other systems than Debian.
- Is hijacking the Mozilla::CA package the right way?
Comments
Another approach (not saying better) would be to make a package called something like Crypt::CA::Any that acts as a layer above different underlying implementations - and possibly has an import flag to explicitly enable hijacking the Mozilla::CA namespace for packages that are not converted over to the *::CA::Any API.
Please sign up to post a review.