From 913a5caae3da0cf40087cb46fbc0bda00e69752e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 7 Nov 2024 19:37:49 +0100
Subject: [PATCH] system: kill the SSL bundles in default locations

Neither OpenSSL base (/etc/ssl) nor ports (/usr/local/openssl) need
the bundle file now that we use the directory trust store.  The downside
is that as soon as the bundle exists OpenSSL library will read both the
directory and the bundle by default defeating the purpose of a single
location and the directory being faster.

Keep the fringe ca_root_nss location /usr/local/etc/ssl since that is
still seeded by the package but controlled and topped up by the user
configured authorities.
---
 src/etc/inc/system.inc                              | 7 +++++--
 src/etc/rc                                          | 2 +-
 src/etc/rc.syshook                                  | 2 +-
 src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php | 2 +-
 src/opnsense/service/conf/configd.conf              | 2 +-
 src/opnsense/site-python/tls_helper.py              | 2 +-
 6 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index b93ab056a..a5bca3b9c 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -985,7 +985,10 @@ function system_trust_configure($verbose = false)
         $ca_bundle[] = file_get_contents($file);
     }
     $ca_bundle = join("\n", $ca_bundle);
-    foreach (['/etc/ssl/cert.pem', '/usr/local/openssl/cert.pem', '/usr/local/etc/ssl/cert.pem'] as $pem) {
+    foreach (['/etc/ssl/cert.pem', '/usr/local/openssl/cert.pem'] as $pem) {
+        @unlink($pem); /* remove permanently as we use the directory */
+    }
+    foreach (['/usr/local/etc/ssl/cert.pem'] as $pem) {
         @unlink($pem); /* do not clobber symlink target */
         file_put_contents($pem, $ca_bundle);
         chmod($pem, 0644);
@@ -1142,7 +1145,7 @@ function system_cron_configure($verbose = false)
     $crontab_contents .= "# /etc/crontab, see the crontab(5) manual page.\n";
     $crontab_contents .= "SHELL=/bin/sh\n";
     $crontab_contents .= "PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin\n";
-    $crontab_contents .= "REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem\n";
+    $crontab_contents .= "REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem\n";
     $crontab_contents .= "#minute\thour\tmday\tmonth\twday\tcommand\n";
 
     foreach ($autocron as $item) {
diff --git a/src/etc/rc b/src/etc/rc
index d434b601e..6a6ded20a 100755
--- a/src/etc/rc
+++ b/src/etc/rc
@@ -38,7 +38,7 @@ trap "echo 'Boot interrupted'; exit 1" 3
 
 HOME=/
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
+REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
 ZPOOL_IMPORT_PATH=/dev
 export HOME PATH REQUESTS_CA_BUNDLE ZPOOL_IMPORT_PATH
 
diff --git a/src/etc/rc.syshook b/src/etc/rc.syshook
index 2135b87e4..0bdc44552 100755
--- a/src/etc/rc.syshook
+++ b/src/etc/rc.syshook
@@ -42,7 +42,7 @@
 # suffix is moved to the new subdirectory during a request.
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
+REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
 SYSDIR="/usr/local/etc/rc.syshook.d"
 SYSLEVEL="${1}"
 
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 0bbc95846..7feea4b83 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -349,7 +349,7 @@ class LDAP extends Base implements IAuthConnector
         // Note: All TLS options must be set before ldap_connect is called
         if ($this->ldapURLType != "standard") {
             ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
-            ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
+            ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/usr/local/etc/ssl/cert.pem');
         } else {
             ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
         }
diff --git a/src/opnsense/service/conf/configd.conf b/src/opnsense/service/conf/configd.conf
index 350c1b558..fa6d2287b 100644
--- a/src/opnsense/service/conf/configd.conf
+++ b/src/opnsense/service/conf/configd.conf
@@ -4,5 +4,5 @@ pid_filename:/var/run/configd.pid
 
 [environment]
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
-REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
+REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem
 HOME=/
diff --git a/src/opnsense/site-python/tls_helper.py b/src/opnsense/site-python/tls_helper.py
index a4cf7680b..aba65eee3 100644
--- a/src/opnsense/site-python/tls_helper.py
+++ b/src/opnsense/site-python/tls_helper.py
@@ -73,7 +73,7 @@ class PlatformTLSAdaptor(HTTPAdapter):
                 ctx_args['ciphers'] = openssl_conf['cipherstring']
 
             cls.ssl_context = create_urllib3_context(**ctx_args)
-            cls.ssl_context.load_verify_locations('/etc/ssl/cert.pem')
+            cls.ssl_context.load_verify_locations('/usr/local/etc/ssl/cert.pem')
             if openssl_conf['minprotocol']:
                 for item in openssl_conf['minprotocol'].split("\n"):
                     if item == 'TLSv1':