Re: CA bundle for cadaver/neon

[Taylor R Campbell <campbell+netbsd-tech-pkg%mumble.net@localhost>]

> Date: Thu, 20 Oct 2022 14:51:30 +0100
> From: Jonathan Perkin <jperkin%mnx.io@localhost>
> 
> SSLCERTBUNDLE is certainly incorrect if using the bundle from pkgsrc, as 
> that is definitely named ca-certificates.crt not ca-bundle.crt.
> 
> At this point only www/curl uses that variable though, so clearly it 
> being wrong has contributed to it not being widely used.  It might be 
> nice to clean things up so it's actually correct and used instead of 
> duplicating that path around, but the chances of breaking things is very 
> high, and would also require figuring out why ca-bundle.crt is a thing.

See https://mail-index.netbsd.org/tech-pkg/2021/02/23/msg024608.html
for why ca-bundle.crt is a thing -- it's only for builtin openssl on
platforms with a systemwide CA bundle like CentOS's
/etc/pki/tls/certs/ca-bundle.crt.

Perhaps we should have a pkgsrc-wide variable for a CA bundle file
and/or a CA directory:

- On systems with builtin openssl or whatever, this can use the
  systemwide path.

- On systems with pkgsrc openssl, this can be
  ${PKG_SYSCONFDIR}/openssl/certs/ca-certificates.crt (or similar but
  relative to ${SSLCERTS} or whatever).

- Packages that rely on ordinary HTTPS root CA certificates will use
  whichever one is chosen pkgsrc-wide.  This way things like curl, go,
  &c., will agree and can have their root CA certificates maintained
  and updated uniformly.

- Packages that use TLS but not for ordinary HTTPS can ignore it and
  use their own root CA certificate bundle path under PKG_SYSCONFDIR.