Date: Thu, 20 Feb 2025 15:00:37 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 284749] certctl: add support for generating cert.pem CAfiles Message-ID: <bug-284749-227-g6zc8ptBuF@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-284749-227@https.bugs.freebsd.org/bugzilla/> References: <bug-284749-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284749 --- Comment #36 from Mel Pilgrim <ports.maintainer@evilphi.com> --- (In reply to Michael Osipov from comment #28) I've none. I'm eager to see this move forward and get into src. (In reply to Michael Osipov from comment #26) I believe it should be MFC'd, but I may be biased. :) Even without the bundle file functionality, it would be great to have certc= tl from main with its bundle-splitting ability in stable/*. (13.5-R maybe? please?) (In reply to Franco Fichtner from comment #29) There's a bug[1] in a Rust library caused by hardcoding /usr/local/openssl/cert.pem as the sole trust store location. 1: https://github.com/rustsec/rustsec/issues/1137 I think all three locations are required by the population of ca_root_nss dependants, sadly. Such misbehaviour will undoubtedly continue. Hence this work to bring those locatons into certctl's bailiwick. (In reply to Michael Osipov from comment #35) It doesn't. OpenSSL using the CAfile as the only source is what started me= on all this. I have servers with certificates signed by a private CA installe= d in /etc/ssl/certs. If ca_root_nss gets installed on those clients, validation fails because they can't find the CA unless it's also appended to /usr/local/share/certs/ca-root-nss.crt. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284749-227-g6zc8ptBuF>