[prev in list] [next in list] [prev in thread] [next in thread]
List: alpine-info
Subject: Re: [Alpine-info] All Certs Fail on Alpine 2.22 (Fedora31)
From: Eduardo Chappa <alpine.chappa () yandex ! com>
Date: 2020-01-28 5:23:28
Message-ID: alpine.LSU.2.22.398.2001272207470.1828 () lnx ! np13
[Download RAW message or body]
On Mon, 27 Jan 2020, Porcelalin Mouse wrote:
>> If I understand you correctly, you mean the default value for
>> system-certs-path, right? In this case, delete the value suggested and
>> make it "<empty-value>". Does that work?
>
> Aha, yes, that does work! If I set system-certs-path to <empty-value>,
> instead of the seemingly correct default, it works; all certs validate.
Great to read that this works :)
>> Have you tried the command
>>
>> $ openssl version -d
>>
>> They should be in the certs subdirectory of the directory listed there.
>
> Oh, cool, I didn't know that. Here's what it says:
>
> $ openssl version -d
> OPENSSLDIR: "/etc/pki/tls"
>
> So, ./configure selected "/etc/pki/tls/certs", and openssl suggested the
> internal value is "/etc/pki/tls", but *neither* works as the value of
> system-cert-path in Alpine.
In many systems the cert directory is a subdirectory of the direcoty
listed in the value of OPENSSLDIR, so in your case it should have been
/etc/pki/tls/certs. However, as you say, they are not there.
> FYI:
> $ openssl version
> OpenSSL 1.1.1d FIPS 10 Sep 2019
>
> I still don't understand why openssl doesn't like the correct path, but
> that's for another list.
Sometimes the locations ofthe certificates is not where you expect it, and
so you have to go with your distributor, not with what the library says.
> Unless you think setting system-cert-path=<empty-value> has a downside,
> I can live with this workaround. It's up to you if you want ./configure
> to choose this in the future for my platform (Fedora/RedHat). Perhaps I
> can code that if you are open to that but don't want to code the check
> and test it, yourself. I will try to figure out why this is happening,
> because that is not how openssl behaved the last time I tried it. Do
> you think openssl maintainers recommend not passing a path as the
> preferred way to allow system-wide certs to be used?
At this moment <empty value> will do the trick for you, as well as a silly
value such as /mary/had/a/little/lamb. I am thinking of not setting up a
default value in the unix side, but leave the default value (as useless as
it might be at this moment) for Windows only, because at least it has some
good information of the correct location of the certificates, even if the
drive is not quite what it should be.
--
Eduardo
_______________________________________________
Alpine-info mailing list
Alpine-info@u.washington.edu
http://mailman13.u.washington.edu/mailman/listinfo/alpine-info
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic