NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: trusted certs in AWS image

On Thu, 12 Nov 2015, Jan Schaumann wrote:
After spinning up an AWS NetBSD 6.1.5 instance (ami-bc2c94d4), I find that does not have a trusted CA bundle.

I've seen this issue with other tools that want a cert bundle like 'wget' and 'aria2c' as well as 'youtube-dl'. I would speculate that the tools want/expect the bundle in different places and that's why it breaks on a fairly regular basis. Of course, the pkgsrc guys are the ones with time on the metal who could tell you exactly.

/tinfoil hat rant

IMHO, SSL is irrevocably broken and untrustable for most of it's original purposes. What the NSA hasn't (post Snowden) openly cracked others have cast doubt on. It's got a massive portfolio of algorithms and I have never forgiven them for implementing RC2 and RC4 instead of oh, I dunno, anything (or nothing)... SSL needs a massive KISS makeover or to be simply replaced. (yeah, easy for me to say, I know...)

/rant off

I get it, though. You have apps that you want to stop complaining about "invalid" SSL certificates. Happens to me quite a bit even though I view SSL with such disgust and suspicion, it's hard to get away from it. I also acknowledge there aren't a lot of great alternatives that are widely deployed and accessible.

You can do what I do if you please. Simply ktrace the application that's giving you a hassle and figure out where it wants to open() or fopen() the CA bundle, then symlink it there.


Home | Main Index | Thread Index | Old Index