PrePAN

Sign in to PrePAN

Mozilla::CA::Debian Replace Mozilla::CA using certificates from /etc/ssl/certs

dolmen@github
Author
dolmen@github
Date
URL
https://github.com/dolmen/p5-Mozilla-CA-Debian
Status
In Review
Good

Synopsis

export PERL5LIB=-MMozilla::CA::Debian

# Now every perl code that uses Mozilla::CA will instead use your certificates from
# /etc/ssl/certs (kept up to date by the sysadmin) instead of the outdated Mozilla::CA

Description

Doc

Root certificates are a major component of TLS security. Many CPAN modules rely on Mozilla::CA as a default, portable, list of root certificates.

But when relying on Mozilla::CA, we rely on:

  • the maintainer to release often to keep Mozilla::CA in sync with the Mozilla certificates list
  • the maintainer of the module to be trustable (no compromised certificates introduced)
  • yourself or your sysadmin to keep your local copy of Mozilla::CA up to date with the latest CPAN release
  • the CPAN mirror from not being compromised to serve an altered version of Mozilla::CA
  • you can't use additional root certificates installed on your system that are not in Mozilla list (unless the application allow to use multiple certificate databases)
  • you can't filter the Mozilla list to exclude some certificates

This is many risks while on a Debian system you already have a list of certificates that:

  • you already trust for all tasks on your system
  • is updated with other system packages

So Mozilla::CA::Debian replaces Mozilla::CA, providing the same interface (including hijacking the package name) but while using the certificates from /etc/ssl/certs.

Implementation

The implementation uses lazy loading to build the certificates file (Mozilla::CA exposes the certificate database while Debian exposes a directory of files) only when the VERSION is requested or when SSL_ca_file function is called.

It also allows both Mozilla::CA and Mozilla::CA::Debian to be installed in @INC. Mozilla::CA::Debian will only be used if it is loaded first.

$Mozilla::CA::VERSION reported will be the timestamp of the most recent file in /etc/ssl/certs.

Status

The code is working. POD has to be written (probably will be copied from the block above).

Questions

  • I'm not sure about the features. What other system use a directory of PEM files?
  • I'm not sure about the name, as my implementation may work on other systems than Debian.
  • Is hijacking the Mozilla::CA package the right way?

Comments

grantm@github
grantm@github
This definitely seems like useful functionality to me. Hijacking the Mozilla::CA package does seem a little heavy-handed, but it's not without precedent and I understand your reasons.

Another approach (not saying better) would be to make a package called something like Crypt::CA::Any that acts as a layer above different underlying implementations - and possibly has an import flag to explicitly enable hijacking the Mozilla::CA namespace for packages that are not converted over to the *::CA::Any API.
dolmen@github
dolmen@github
I just discovered that single file certificate stores already exist on various systems: https://metacpan.org/source/DAGOLDEN/HTTP-Tiny-0.056/lib/HTTP/Tiny.pm#L1447

Please sign up to post a review.