Re: mozilla-rootcerts assumes /etc/ssl/certs

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: mozilla-rootcerts assumes /etc/ssl/certs
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Thu, 13 Apr 2017 10:07:39 -0500

On 03/30, J. Lewis Muir wrote:
> On 03/30, Greg Troxel wrote:
> > 
> > coypu%sdf.org@localhost writes:
> > 
> > > It is currently useful and intended for people who use non-pkgsrc
> > > (builtin) SSL libraries and want to get a set of well-managed CAs.
> > >
> > > It could probably be smarter, or pkgsrc openssl can be taught to look
> > > at system-wide CAs too, if it doesn't.
> > > (I feel like for root CA choices, people will likely prefer system-wide
> > > settings to be respected by default).
> > 
> > Good points.
> > 
> > But I wonder if the right thing is for mozilla-rootcerts to modify
> > pkgsrc openssl, if that was depended on at build time, vs system
> > openssl, if that was depended on.   More or less, to operate on the
> > openssl used by pkgsrc.
> 
> Right, and it seems that the security/mozilla-rootcerts Makefile tries
> to do something like that already:
> 
>   CHECK_BUILTIN.openssl=  yes
>   .include "../../security/openssl/builtin.mk"
>   CHECK_BUILTIN.openssl=  no
>   .if !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
>   SSLDIR=         /etc/openssl/certs
>   .else
>   SSLDIR=         ${PKG_SYSCONFDIR}/openssl/certs
>   .endif
> 
> SSLDIR will get substituted (by the pkgsrc SUBST framework as configured
> in Makefile) in files/mozilla-rootcerts.sh (which is installed as
> mozilla-rootcerts) as the SSLDIR variable, and, for the install
> subcommand, mozilla-rootcerts.sh will extract the individual certificate
> files to $destdir$SSLDIR.  That makes sense to me.
> 
> But what I don't understand is that mozilla-rootcerts.sh also has:
> 
>   certdir="/etc/ssl/certs"
>   conffile="/etc/openssl/openssl.cnf"
>   destdir=
> 
> Those don't get substituted with the SUBST framework.  SSLDIR and
> others are substituted, but certdir and conffile are *not* substituted,
> and that's what I'm asking about.  For mozilla-rootcerts.sh's install
> subcommand, it writes to $destdir$certdir/ca-certificates.crt.
> Since certdir is not substituted, it will *always* write to
> /etc/ssl/certs/ca-certificates.crt.  Is that right, and if so, could
> someone explain why?
> 
> For my setup on macOS Sierra, USE_BUILTIN.openssl=no and
> PKG_SYSCONFDIR=/opt/pkg/etc, so I get SSLDIR=/opt/pkg/etc/openssl/certs.
> When I run "mozilla-rootcerts install" as suggested in MESSAGE, I get
> the .pem files extracted to /opt/pkg/etc/openssl/certs (which makes
> sense to me), but (this is the part I don't understand) I also get the
> concatenation of those .pem files written to ca-certificates.crt in
> /etc/ssl/certs.
> 
> I would have expected to see something like this in mozilla-rootcerts.sh
> instead (with an appropriate SUBST framework substitution for
> @PKG_SYSCONFDIR@ configured in the Makefile):
> 
>   certdir="@PKG_SYSCONFDIR@/ssl/certs"
>   conffile="@PKG_SYSCONFDIR@/openssl/openssl.cnf"
>   destdir=
> 
> What am I missing about how all this works?

Ping?

Lewis

References:
- Re: mozilla-rootcerts assumes /etc/ssl/certs
  - From: coypu
- Re: mozilla-rootcerts assumes /etc/ssl/certs
  - From: Greg Troxel
- Re: mozilla-rootcerts assumes /etc/ssl/certs
  - From: J. Lewis Muir

Prev by Date: Re: Error running "mozilla-rootcerts install" on macOS
Next by Date: Re: [PATCH] fixup for py-boost (numpy dep for both python2 and python3)
Previous by Thread: Re: mozilla-rootcerts assumes /etc/ssl/certs
Next by Thread: Re: mozilla-rootcerts assumes /etc/ssl/certs
Indexes:

Home | Main Index | Thread Index | Old Index