"Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost> writes: > Any reaction to the certbundle part? I'm not entirely clear on this. In general, the entire subject of configuring trust anchors is a bit messy. Typically, when a pkgsrc program uses openssl, it ends up using that's openssl's trust anchor configuration. So, it seems there is something more going on, and curl is not using the default verifier, but is doing something more. I don't understand SSLCERTBUNDLE; I don't find it in security/openssl/builtin.mk. I don't understand the "it is essential", as it seems the normal approach is to have certs in SSLCERTS with the hash symlinks. If someone has a bundle instead, and openssl by default reads that too, that's fine -- but curl seems to be doing things its own way. I also think it's incorrect to change behavior of a tool at run time based on whether there was or was not a bundle present at configure time, if that's what is going on. The buildtime system's trust anchor configuaration is not really related to the runtime system's configuration. Overall this problem seems like a symptom of curl not using the default verifier. Can you explain what the problem is, and why you think this is the right thing to do?
Attachment:
signature.asc
Description: PGP signature