Subject: SSL support in system binaries
To: None <tech-userlevel@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-userlevel
Date: 07/29/2003 02:16:36
On Tue, Jul 29, 2003 at 02:30:02PM +0900, YAMAMOTO Shigeru wrote:
> 
> Hi, all,
> 
> I make a patch to support HTTPS for /usr/bin/ftp.
> It is quick hack.
> 
> Please try and test it.

This raises an important issue (which, amusingly, most Linux
distributions seem to botch): if we're going to ship binaries
with the system that support SSL or other certificate-authenticated
protocols, we need to try to do some kind of certificate validation,
and we need to ship a reasonable default bundle of trusted root
certificate authorities.

A coworker of mine at ReefEdge wrote some nice tools to turn the
CA bundle from the Mozilla CVS repository into a format that
OpenSSL can handle, and I have some nice sample code that does
certificate validation (including correctly handling chains,
which most OpenSSL applications seem to get wrong) with OpenSSL.
I suppose I should probably try to get this stuff into the tree
soonish, if we anticipate adding SSL to more pieces of the system. :-)

Thor