Re: Handling system-wide TLS certification bundles for openssl builtin and www/curl

["Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>]

Am Tue, 23 Feb 2021 14:38:33 -0500
schrieb Greg Troxel <gdt%lexort.com@localhost>: 

> So, here are adjusted patches.  This is basically what you sent, except
> looking for /etc/pki/tls is confined to Linux, and on Linux it's
> explicitly pointed to /etc/ssl if that's not found.

Thanks. Yes, that looks more clear.

> Is this acceptable to you?

Looks great.

Now, good point to have checked those other packages that might have
trouble working with bundles instead of individual files … you found

  ./chat/jabberd2
  ./chat/profanity
  ./mail/alpine
  ./mail/cone
  ./mail/courier-mta
  ./mail/imap-uw
  ./mail/prayer
  ./mail/re-alpine
  ./net/mosquitto
  ./net/vsftpd
  ./net/s6-networking
  ./security/libguardtime
  ./wip/spamassassin-cvs
  ./www/dillo
  ./www/netsurf
.
None of these are in use in my systems. There is the chance that
they'll use the bundle in the SSLCERTS location. In any case, they're
not hurt by the change. And yes, the proper fix proably would be to get
all those patched to just use the default certs anyway, eliminating the
need to specify neither SSLCERTS nor SSLCERTBUNDLE.

I'll have a look at whether I can hack up an option for pkgsrc openssl
to use the system certs. But first I need to fix the update for
openblas, to then be able to fix py-numpy's use of BLAS … 


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg