tech-pkg archive
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index][
Old Index]
Re: CA bundle for cadaver/neon
> Date: 2022年10月20日 14:51:30 +0100
> From: Jonathan Perkin <jperkin%mnx.io@localhost>
>
> SSLCERTBUNDLE is certainly incorrect if using the bundle from pkgsrc, as
> that is definitely named ca-certificates.crt not ca-bundle.crt.
>
> At this point only www/curl uses that variable though, so clearly it
> being wrong has contributed to it not being widely used. It might be
> nice to clean things up so it's actually correct and used instead of
> duplicating that path around, but the chances of breaking things is very
> high, and would also require figuring out why ca-bundle.crt is a thing.
See https://mail-index.netbsd.org/tech-pkg/2021/02/23/msg024608.html
for why ca-bundle.crt is a thing -- it's only for builtin openssl on
platforms with a systemwide CA bundle like CentOS's
/etc/pki/tls/certs/ca-bundle.crt.
Perhaps we should have a pkgsrc-wide variable for a CA bundle file
and/or a CA directory:
- On systems with builtin openssl or whatever, this can use the
systemwide path.
- On systems with pkgsrc openssl, this can be
${PKG_SYSCONFDIR}/openssl/certs/ca-certificates.crt (or similar but
relative to ${SSLCERTS} or whatever).
- Packages that rely on ordinary HTTPS root CA certificates will use
whichever one is chosen pkgsrc-wide. This way things like curl, go,
&c., will agree and can have their root CA certificates maintained
and updated uniformly.
- Packages that use TLS but not for ordinary HTTPS can ignore it and
use their own root CA certificate bundle path under PKG_SYSCONFDIR.
Home |
Main Index |
Thread Index |
Old Index