"Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost> writes:
Any reaction to the certbundle part?
I'm not entirely clear on this. In general, the entire subject of
configuring trust anchors is a bit messy. Typically, when a pkgsrc
program uses openssl, it ends up using that's openssl's trust anchor
configuration.
So, it seems there is something more going on, and curl is not using the
default verifier, but is doing something more.
I don't understand SSLCERTBUNDLE; I don't find it in
security/openssl/builtin.mk.
I don't understand the "it is essential", as it seems the normal
approach is to have certs in SSLCERTS with the hash symlinks. If
someone has a bundle instead, and openssl by default reads that too,
that's fine -- but curl seems to be doing things its own way.
I also think it's incorrect to change behavior of a tool at run time
based on whether there was or was not a bundle present at configure
time, if that's what is going on. The buildtime system's trust anchor
configuaration is not really related to the runtime system's
configuration.
Overall this problem seems like a symptom of curl not using the default verifier.
Can you explain what the problem is, and why you think this is the right
thing to do?