Re: system default root certificates?

[matthew sporleder <msporleder%gmail.com@localhost>]

On Mon, Mar 3, 2014 at 10:15 PM, OBATA Akio <obata%lins.jp@localhost> wrote:
> Hi,
>
> How to specify/use default root certificates in pkgsrc?
>
> 1. Current situation
>
> In security/openssl/builtin.mk:
>   SSLCERTS will point to builtin OpenSSSL's certs if using builtin OpenSSL,
> or
>   pkgsrc's one (depending on PKG_SYSCONFIGDIR).
>   buitin location list may not be complete.
>
> In security/mozilla-rootcerts/Makefile
>   SSLDIR is set almost same as above SSLCERTS (but loose logic).
>
> In security/mozilla-rootcerts/files/mozilla-rootcerts.sh:
>   using SSLDIR for OpenSSL?
>   using /etc/ssl/certs/ca-certificates.crt (hard-coded!) for GnuTLS?
>
> In security/openssl/Makefile:
>   PKG_SYSCONFDIR/certs will be set as default one.
>
> In security/gnutls/Makefile:
>   Not specified exactly, depending on build host configuration.
>   (/etc/ssl/certs/ca-certificates.crt is one of the candidates in configure
> script)
>
> Not look at all, but it seems that packages depending on OpenSSL are using
> SSLCERTS,
> and GnuTLS are /etc/ssl/certs/ca-certificates.crt.
>
> 2. Consideration
>
> NetBSD does not, but some platforms already have own system default root
> certificates.
> But it may be ignored now if SSLCERTS or /etc/ssl/certs/ca-certificates.crt
> point to wrong location,
> or using OpenSSL/GnuTLS from pkgsrc.
>
>  * Should it be used even if using OpenSSL/GnuTLS from pkgsrc?
>  * Should it be defined in mk/platform/${OPSYS}.mk?
>  * How mozilla-rootcerts should act?
>
>
> Any ideas?
>
> --
> OBATA Akio / obata%lins.jp@localhost


OpenSSL and GnuTLS should both depend on mozilla rootcerts, which may
also need a builtin.