Running the grep below lights up a few spots still:
# git grep 'pkg[^/\[\.a-z'"'"',()_+"]'
Make a few decisions for the future:
* Use "pkg-static" outside the firmware code consistently
with a full path
* Modify ambiguous code or comments to not be found by the
grep above
* Firmware uses PKG now if we ever have to pivot to pkg-static
or when we need to overwise modify the call.
The goal of this excerise was to find all stray package manager
spots that may run their own embedded pkg-update without the
proper environment which should be gone for now.
While debugging some missing TLS parameters, I noticed the ciphers where different than expected. Digging a bit deeper seemed to indicate env_init() wasn't called on my end.
If SELF should be the command, the intention was likely to pass the parameter instead of the script name (which is always launcher)
cc @fichtner
Neither OpenSSL base (/etc/ssl) nor ports (/usr/local/openssl) need
the bundle file now that we use the directory trust store. The downside
is that as soon as the bundle exists OpenSSL library will read both the
directory and the bundle by default defeating the purpose of a single
location and the directory being faster.
Keep the fringe ca_root_nss location /usr/local/etc/ssl since that is
still seeded by the package but controlled and topped up by the user
configured authorities.
If we convert groups to a model, we will switch the nested <member> tags into comma separated fields, e.g.
<member>1</member>
<member>12</member>
will convert to:
<member>1,12</member>
using this commit we support both for areas where these are being read.
It's rebatable how careful we should be reading files from /etc/ssl/certs
but in practice garbage-in-garbage-out is the best approach and just match
a wider variety of files included in the directory.
We do not currently use /usr/local/share/certs/untrusted either,
but keep it for future use. The other directories are not used
by FreeBSD 14 or newer so just remove their use.
After removing the file caches in https://github.com/opnsense/core/issues/7515, we introduced the slight downside of calling configd for every field.
Using this commit, we should only call configd once per session, which prevents each record in a set calling configd.
This should increase overall performance when using these fieldtypes.
This commit adds a wrapper in base for the authenticate() method, which calls the protected _authenticate() method for a timed auth sequence.
When authentication is fully handled elsewhere (LDAP, RADIUS), we trust the provider for proper constraints, for local cases we move our implementations to _authenticate() in this commit.
Unfortunately python requests/urllib3/ssl ignores platform openssl defaults, but do choose defaults which do not always match expectations.
Below per configuration item (system_default_sect) the current situation:
* CipherString --> supported, using ciphers list
* Ciphersuites --> not supported, but does seem to follow configuration defaults. When python adds support, we likely have to change something.
* SignatureAlgorithms --> not supported, but seem as above
* Groups (Curves) --> partly supported, only one may be offered, we select the first item in the list, knowing that is a bit flaky (see: set_ecdh_curve())
* MinProtocol --> supported
To prevent clients from offering SignatureAlgorithms beyond specific boundaries, offer the option to set the list manually.
Unfortunately we can't seem to query the options via openssl, so we will have to add the ones we know manually to an option group.
[*] https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
The config.xml.sample also has a <enable/> node and saving RRD by
disabling it produces an empty <rrd/> node in the code so isset()
is still the right thing to do.
PR: https://forum.opnsense.org/index.php?topic=43641.0
Currently we seemed to dump new entries in /opnsense in all cases, but when these mappers address items deeper in the structure, they should use an xpath expression to get there.
