Saturday, December 13, 2008

Making apline see a default CAFile on OSX

One of the problems with doing Linux almost exclusively is that I get real lazy when it comes to small things. Most Linux distros sand the rough edges well enough that there's stuff I just don't remember how to do anymore because "they just work" now, when previously they didn't. Dealing with OpenSSL's default CAFile is one of those things.

Luckily, OSX to the rescue. I've started using OS X as my primary desktop platform for 100% of my duties. This includes email so I need my mail client of preference: pine. For the last bunch of years I've just been using Fedora which has had alpine (and Dag had pine for RHEL in the pre-alpine days.. thanks Dag!). Even when I was using a Mac in the past, I'd ssh over to the Linux box to use pine because it was easier. Now, I'm not ditching Linux, but I am trying some different workflows and working methods out as part of my new job.

So I installed pine with MacPorts, which also installed a MacPorts version of OpenSSL, which also does not come with a default ca-bundle.crt. This causes alpine (and/or most SSL apps in MacPorts) to complain LOUDLY about not being able to validate the cert as trusted. Worse, is that after poking at pine with dtrace it was using what I think is a very linuxy version of the ca-bundle.crt (eg: /opt/local/etc/openssl/cert.pem instead.. ha!).

So to fix (after a few hours of poking around... this stuff is not well documented) do something akin to the following:
  • Grab the script from the fine folks at cURL.
  • This script is perl, and needs LWP. I'm assuming you're using MacPorts, so
    sudo port install p5-libwww-perl
  • Run
  • sudo -s
  • cd /opt/local/etc/openssl
  • mkdir certs
  • cp /path/to/generated/ca-bundle.crt certs/ca-bundle.pem
  • ln -s certs/ca-bundle.pem cert.pem
  • cd certs
  • c_rehash .
  • ln -s ca-bundle.pem ca-bundle.crt
After which MacPorts bianries (including alpine) should have a nice large CAFile by default and much of your "O. M. G. YOUR SSL IZ BUSTED" errors should go away.

You'll also note that I rename the bundle with a .pem extension and then may a symlink for the .crt pointing at them .pem. I do this mainly because I'm kind of anal.. the ca-bundle.crt that is generated by is full of PEM formatted CA certs, as openssl expects. So I like to be extra descriptive about what exactly the file is, but lots of stuff seems to maybe expect a ca-bundle.crt as well.

Sigh. Security needs be easier than this.

No comments: