system default root certificates?

["OBATA Akio" <obata%lins.jp@localhost>]

Hi,

How to specify/use default root certificates in pkgsrc?

1. Current situation

In security/openssl/builtin.mk:
  SSLCERTS will point to builtin OpenSSSL's certs if using builtin OpenSSL, or
  pkgsrc's one (depending on PKG_SYSCONFIGDIR).
  buitin location list may not be complete.

In security/mozilla-rootcerts/Makefile
  SSLDIR is set almost same as above SSLCERTS (but loose logic).

In security/mozilla-rootcerts/files/mozilla-rootcerts.sh:
  using SSLDIR for OpenSSL?
  using /etc/ssl/certs/ca-certificates.crt (hard-coded!) for GnuTLS?

In security/openssl/Makefile:
  PKG_SYSCONFDIR/certs will be set as default one.

In security/gnutls/Makefile:
  Not specified exactly, depending on build host configuration.
  (/etc/ssl/certs/ca-certificates.crt is one of the candidates in configure 
script)

Not look at all, but it seems that packages depending on OpenSSL are using 
SSLCERTS,
and GnuTLS are /etc/ssl/certs/ca-certificates.crt.

2. Consideration

NetBSD does not, but some platforms already have own system default root 
certificates.
But it may be ignored now if SSLCERTS or /etc/ssl/certs/ca-certificates.crt 
point to wrong location,
or using OpenSSL/GnuTLS from pkgsrc.

 * Should it be used even if using OpenSSL/GnuTLS from pkgsrc?
 * Should it be defined in mk/platform/${OPSYS}.mk?
 * How mozilla-rootcerts should act?


Any ideas?

--
OBATA Akio / obata%lins.jp@localhost