Re: trusted certs in AWS image

To: netbsd-users%netbsd.org@localhost
Subject: Re: trusted certs in AWS image
From: Swift Griggs <swiftgriggs%gmail.com@localhost>
Date: Thu, 12 Nov 2015 15:30:14 -0700 (MST)

On Thu, 12 Nov 2015, Jan Schaumann wrote:

After spinning up an AWS NetBSD 6.1.5 instance (ami-bc2c94d4), I findthat does not have a trusted CA bundle.

I've seen this issue with other tools that want a cert bundle like 'wget'and 'aria2c' as well as 'youtube-dl'. I would speculate that the toolswant/expect the bundle in different places and that's why it breaks on afairly regular basis. Of course, the pkgsrc guys are the ones with time onthe metal who could tell you exactly.


/tinfoil hat rant

IMHO, SSL is irrevocably broken and untrustable for most of it's originalpurposes. What the NSA hasn't (post Snowden) openly cracked others havecast doubt on. It's got a massive portfolio of algorithms and I have neverforgiven them for implementing RC2 and RC4 instead of oh, I dunno,anything (or nothing)... SSL needs a massive KISS makeover or to be simplyreplaced. (yeah, easy for me to say, I know...)


/rant off

I get it, though. You have apps that you want to stop complaining about"invalid" SSL certificates. Happens to me quite a bit even though I viewSSL with such disgust and suspicion, it's hard to get away from it. I alsoacknowledge there aren't a lot of great alternatives that are widelydeployed and accessible.

You can do what I do if you please. Simply ktrace the application that'sgiving you a hassle and figure out where it wants to open() or fopen() theCA bundle, then symlink it there.


-Swift

References:
- trusted certs in AWS image
  - From: Jan Schaumann

Prev by Date: Re: trusted certs in AWS image
Next by Date: What is the current state financial of NetBSD?
Previous by Thread: Re: trusted certs in AWS image
Next by Thread: What is the current state financial of NetBSD?
Indexes:

Home | Main Index | Thread Index | Old Index