F42 Change Proposal: dropping Of cert.pem file (System-Wide)

dropping Of cert.pem file

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

:link: Summary

In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.

:link: Owner

Name: František Krenželok
Email: fkrenzel@redhat.com

:link: Detailed Description

In order to improve the loading time of OpenSSL, a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop it from trying to load /etc/pki/tls/cert.pem by deleting it.

:link: Feedback

:link: Benefit to Fedora

Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL.

:link: Scope

  • Other developers:

Any package loading the root certificates from /etc/pki/tls/cert.pem file need to preferably use the defaults of the library or if they must, use the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file instead.

  • Release engineering: #Releng issue number
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy: neither does nor doesn’t

:link: Upgrade/compatibility impact

Once this change is intergrated, the packages/software using /etc/pki/tls/cert.pem as a root certificate bundle file might encounter connectivity issues.

:link: How To Test

Target behavior: OpenSSL initialization takes less time when the file isn’t present compared to it being there.

  1. The following will create a symlink for testing after the change has been integrated(i.e. the .../tls/cert.pem file is missing)

ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/cert.pem

  1. Test the time of OpenSSL initialization or a package using it with and without the aforementioned symlink. (If there is no difference for package then it is most likely due to OpenSSL not being configured to search for certs in default location)

:link: User Experience

Packages using a OpenSSL will have faster initialization time.

:link: Dependencies

Any package using /etc/pki/tls/cert.pem file are affected. It is required that the maintainers change this so that user experience is not compromised.

:link: Contingency Plan

  • Contingency mechanism: We will postpone the change if majority or critical package owners will be unable to make appropriate changes.
  • Contingency deadline: before end of beta freeze(2025-02-18).
  • Blocks release? The feature doesn’t block release.

:link: Documentation

The change is documented as a part of ca-certificates package changelog.

:link: Release Notes

The /etc/pki/tls/cert.pem file has been deprecated

Last edited by @amoloney 2024-11-01T14:34:33Z

Last edited by @amoloney 2024-11-01T14:34:33Z

How do you feel about the proposal as written?

  • Strongly in favor
  • In favor, with reservations
  • Neutral
  • Opposed, but could be convinced
  • Strongly opposed
0 voters

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a :heart: instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

For compatibility purposes, would it be possible to just modify Fedora’s OpenSSL package to not read that file at all, instead of removing it? We could then generate it with the compiled bundle (or just carry a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem) and avoid breaking packages that expect the file to exist there.

1 Like

No owner? @amoloney

Weird, that didn’t copy across or else I accidentally edited it out when cross posting from the wiki.

I’ve updated the owner section now, good catch!

Aoife Moloney
Fedora Operations Architect

2 Likes

would it be possible to just modify Fedora’s OpenSSL package to not read that file at all, instead of removing it?

We’d really like to avoid more downstream patches for Fedora on OpenSSL. Many users reference upstream documentation and are surprised when OpenSSL in Fedora does not behave in the same way.

Other packages should never have used /etc/pki/tls/cert.pem, that path was always owned by OpenSSL, and while we probably didn’t do a great job of making that obvious, other packages and tools should be fixed not to rely on the existence of OpenSSL’s default path.

Note that although this is a proposed Change, it has already been done. There is no /etc/pki/tls/cert.pem in Rawhide. The Change was filed retroactively.

I did just happen across another thing this broke, today: httpd package tests. They use beakerlib, and our beakerlib-libraries package uses /etc/pki/tls/cert.pem. This caused tests of the most recent httpd update to fail with:

:: [ 12:50:27 ] :: [  ERROR   ] :: rlFileBackup: File /etc/pki/tls/cert.pem does not exist.
:: [ 12:50:27 ] :: [   FAIL   ] :: creating backup of /etc/pki/tls/cert.pem (Expected 0, got 8)

This was addressed in the beakerlib libraries used for RHEL - though I wouldn’t say that’s the best fix - but not in the ones used for Fedora yet (I don’t know why we don’t use the same beakerlib libraries, this seems like a bad design). I’m sending a PR now I’ve found this.

1 Like

It’s almost been a month for this change. This should be move to FESCo for voting. cc @amoloney

This is strange, we have reverted the change, and are waiting for the change proposal
https://src.fedoraproject.org/rpms/ca-certificates/c/a3407acb8618b44bc484cd794be14e7cf3490497?branch=rawhide

oh, there is no build for it… let me fix that real quick