[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-pkg
Subject:    Re: CA bundle for cadaver/neon
From:       Taylor R Campbell <campbell+netbsd-tech-pkg () mumble ! net>
Date:       2022-10-20 15:44:25
Message-ID: 20221020154433.F1F1F6085C () jupiter ! mumble ! net
[Download RAW message or body]

> Date: Thu, 20 Oct 2022 14:51:30 +0100
> From: Jonathan Perkin <jperkin@mnx.io>
> 
> SSLCERTBUNDLE is certainly incorrect if using the bundle from pkgsrc, as 
> that is definitely named ca-certificates.crt not ca-bundle.crt.
> 
> At this point only www/curl uses that variable though, so clearly it 
> being wrong has contributed to it not being widely used.  It might be 
> nice to clean things up so it's actually correct and used instead of 
> duplicating that path around, but the chances of breaking things is very 
> high, and would also require figuring out why ca-bundle.crt is a thing.

See https://mail-index.netbsd.org/tech-pkg/2021/02/23/msg024608.html
for why ca-bundle.crt is a thing -- it's only for builtin openssl on
platforms with a systemwide CA bundle like CentOS's
/etc/pki/tls/certs/ca-bundle.crt.

Perhaps we should have a pkgsrc-wide variable for a CA bundle file
and/or a CA directory:

- On systems with builtin openssl or whatever, this can use the
  systemwide path.

- On systems with pkgsrc openssl, this can be
  ${PKG_SYSCONFDIR}/openssl/certs/ca-certificates.crt (or similar but
  relative to ${SSLCERTS} or whatever).

- Packages that rely on ordinary HTTPS root CA certificates will use
  whichever one is chosen pkgsrc-wide.  This way things like curl, go,
  &c., will agree and can have their root CA certificates maintained
  and updated uniformly.

- Packages that use TLS but not for ordinary HTTPS can ignore it and
  use their own root CA certificate bundle path under PKG_SYSCONFDIR.
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic