pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: mozilla-rootcerts assumes /etc/ssl/certs
On 03/30, J. Lewis Muir wrote:
> On 03/30, Greg Troxel wrote:
> >
> > coypu%sdf.org@localhost writes:
> >
> > > It is currently useful and intended for people who use non-pkgsrc
> > > (builtin) SSL libraries and want to get a set of well-managed CAs.
> > >
> > > It could probably be smarter, or pkgsrc openssl can be taught to look
> > > at system-wide CAs too, if it doesn't.
> > > (I feel like for root CA choices, people will likely prefer system-wide
> > > settings to be respected by default).
> >
> > Good points.
> >
> > But I wonder if the right thing is for mozilla-rootcerts to modify
> > pkgsrc openssl, if that was depended on at build time, vs system
> > openssl, if that was depended on. More or less, to operate on the
> > openssl used by pkgsrc.
>
> Right, and it seems that the security/mozilla-rootcerts Makefile tries
> to do something like that already:
>
> CHECK_BUILTIN.openssl= yes
> .include "../../security/openssl/builtin.mk"
> CHECK_BUILTIN.openssl= no
> .if !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
> SSLDIR= /etc/openssl/certs
> .else
> SSLDIR= ${PKG_SYSCONFDIR}/openssl/certs
> .endif
>
> SSLDIR will get substituted (by the pkgsrc SUBST framework as configured
> in Makefile) in files/mozilla-rootcerts.sh (which is installed as
> mozilla-rootcerts) as the SSLDIR variable, and, for the install
> subcommand, mozilla-rootcerts.sh will extract the individual certificate
> files to $destdir$SSLDIR. That makes sense to me.
>
> But what I don't understand is that mozilla-rootcerts.sh also has:
>
> certdir="/etc/ssl/certs"
> conffile="/etc/openssl/openssl.cnf"
> destdir=
>
> Those don't get substituted with the SUBST framework. SSLDIR and
> others are substituted, but certdir and conffile are *not* substituted,
> and that's what I'm asking about. For mozilla-rootcerts.sh's install
> subcommand, it writes to $destdir$certdir/ca-certificates.crt.
> Since certdir is not substituted, it will *always* write to
> /etc/ssl/certs/ca-certificates.crt. Is that right, and if so, could
> someone explain why?
>
> For my setup on macOS Sierra, USE_BUILTIN.openssl=no and
> PKG_SYSCONFDIR=/opt/pkg/etc, so I get SSLDIR=/opt/pkg/etc/openssl/certs.
> When I run "mozilla-rootcerts install" as suggested in MESSAGE, I get
> the .pem files extracted to /opt/pkg/etc/openssl/certs (which makes
> sense to me), but (this is the part I don't understand) I also get the
> concatenation of those .pem files written to ca-certificates.crt in
> /etc/ssl/certs.
>
> I would have expected to see something like this in mozilla-rootcerts.sh
> instead (with an appropriate SUBST framework substitution for
> @PKG_SYSCONFDIR@ configured in the Makefile):
>
> certdir="@PKG_SYSCONFDIR@/ssl/certs"
> conffile="@PKG_SYSCONFDIR@/openssl/openssl.cnf"
> destdir=
>
> What am I missing about how all this works?
Ping?
Lewis
Home |
Main Index |
Thread Index |
Old Index