Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

[Pierre-Philipp Braun <pbraun%nethence.com@localhost>]

On 02/09/2022 18:32, Martin Husemann wrote:
> Could be something easy like using the mozilla root certs from last quarters
> pkgsrc branch, downloadable from some well known NetBSD.org URL.
>
> Either the original bin pkg and a (special) base system script to unpack
> and update (w/o pkg_add and architecture check), or some automatic
> magic on the server side to rebundle them in the format expected by the
> update script on the client side.

I like the way curl.se delivers it.  It's also the mozilla bundle but as a single file, which is easier to track for changes.

https://curl.se/ca/cacert.pem
https://curl.se/ca/cacert.pem.sha256
(gets updated now and then)

However, it often requires some tuning, as most applications are expecting a path for trust anchors, not a single file.

Postfix

        #smtpd_tls_CApath = no
        smtpd_tls_CAfile = /etc/openssl/cacert.pem

        #smtp_tls_CApath = no
        smtp_tls_CAfile = /etc/openssl/cacert.pem

wget

        vi /etc/wgetrc

        ca_certificate = /etc/openssl/cacert.pem

GIT

        vi ~/.gitconfig

        [http]
                sslCAinfo = /etc/openssl/cacert.pem

for curl itself

        vi ~/.curlrc

        cacert /etc/openssl/cacert.pem

--OR--

        vi ~/.profile

        export CURL_CA_BUNDLE=/etc/openssl/cacert.pem

I am not sure in what situation some application might require the hashed filename flavor of the certs, see c_rehash(1ssl).  I could happily live with that setup for cert verification, for a while and without problems.

-pph