tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [Christos Zoulas] CVS commit: src/usr.bin/ftp

On 02/09/2022 18:32, Martin Husemann wrote:
Could be something easy like using the mozilla root certs from last quarters
pkgsrc branch, downloadable from some well known URL.

Either the original bin pkg and a (special) base system script to unpack
and update (w/o pkg_add and architecture check), or some automatic
magic on the server side to rebundle them in the format expected by the
update script on the client side.

I like the way delivers it.  It's also the mozilla bundle but as a single file, which is easier to track for changes.
(gets updated now and then)

However, it often requires some tuning, as most applications are expecting a path for trust anchors, not a single file.


        #smtpd_tls_CApath = no
        smtpd_tls_CAfile = /etc/openssl/cacert.pem

        #smtp_tls_CApath = no
        smtp_tls_CAfile = /etc/openssl/cacert.pem


        vi /etc/wgetrc

        ca_certificate = /etc/openssl/cacert.pem


        vi ~/.gitconfig

                sslCAinfo = /etc/openssl/cacert.pem

for curl itself

        vi ~/.curlrc

        cacert /etc/openssl/cacert.pem


        vi ~/.profile

        export CURL_CA_BUNDLE=/etc/openssl/cacert.pem

I am not sure in what situation some application might require the hashed filename flavor of the certs, see c_rehash(1ssl).  I could happily live with that setup for cert verification, for a while and without problems.


Home | Main Index | Thread Index | Old Index