Date: Thu, 20 Feb 2025 12:26:27 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 284749] certctl: add support for generating cert.pem CAfiles Message-ID: <bug-284749-227-8rbrGvB23Z@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-284749-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749 --- Comment #32 from Franco Fichtner <franco@opnsense.org> --- truss which application? Some applications (like fetch, well libfetch library really) have or have had bundle fallbacks that disable the hash dir. The OpenSSL documentation doesn't specify a load order or restrictions. I'm not saying it doesn't exist so you could be right. Given this point we still don't want OpenSSL to load the bundle instead then? That would be a step backwards from certctl introduction. All I'm saying is that moving the bundle to a default location is not a good idea as it has impact on the hash dir which is not obvious to the user or is or will never be properly documented / safeguarded against. ca_root_nss doing it for legacy reasons is one thing. But also most ports are hardwired to use /usr/local/etc/ssl/cert.pem which is a perfectly fine bundle location not tainting the base (or ports) OpenSSL behaviour and would even allow the removal of ca_root_nss (to some degree). -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284749-227-8rbrGvB23Z>