tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CA bundle for cadaver/neon

> Date: Thu, 20 Oct 2022 14:51:30 +0100
> From: Jonathan Perkin <>
> SSLCERTBUNDLE is certainly incorrect if using the bundle from pkgsrc, as 
> that is definitely named ca-certificates.crt not ca-bundle.crt.
> At this point only www/curl uses that variable though, so clearly it 
> being wrong has contributed to it not being widely used.  It might be 
> nice to clean things up so it's actually correct and used instead of 
> duplicating that path around, but the chances of breaking things is very 
> high, and would also require figuring out why ca-bundle.crt is a thing.

for why ca-bundle.crt is a thing -- it's only for builtin openssl on
platforms with a systemwide CA bundle like CentOS's

Perhaps we should have a pkgsrc-wide variable for a CA bundle file
and/or a CA directory:

- On systems with builtin openssl or whatever, this can use the
  systemwide path.

- On systems with pkgsrc openssl, this can be
  ${PKG_SYSCONFDIR}/openssl/certs/ca-certificates.crt (or similar but
  relative to ${SSLCERTS} or whatever).

- Packages that rely on ordinary HTTPS root CA certificates will use
  whichever one is chosen pkgsrc-wide.  This way things like curl, go,
  &c., will agree and can have their root CA certificates maintained
  and updated uniformly.

- Packages that use TLS but not for ordinary HTTPS can ignore it and
  use their own root CA certificate bundle path under PKG_SYSCONFDIR.

Home | Main Index | Thread Index | Old Index