Date: Mon, 23 Jan 2023 21:15:57 -0000 (UTC) From: Christian Weisgerber <naddy@mips.inka.de> To: freebsd-security@freebsd.org Subject: Re: Can security/ca_root_nss be retired? Message-ID: <slrntstu8d.22v5.naddy@lorvorc.mips.inka.de> References: <551458a3-665f-9f55-8ef9-1dd23e1e3aee@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2023-01-19, Mel Pilgrim <list_freebsd@bluerosetech.com> wrote: > Given /usr/share/certs exists for all supported releases, is there any > reason to keep the ca_root_nss port? Yes. net/openntpd does this: tls_load_file(tls_default_ca_cert_file(), ...) tls_default_ca_cert_file() is from security/libretls, where it is a wrapper around X509_get_default_cert_file() from OpenSSL. X509_get_default_cert_file() returns X509_CERT_FILE, which is defined to "/etc/ssl/cert.pem". I don't see a replacement in /usr/share/certs/. I used openntpd as an example, because that's a case I know, but presumably there are further instances in the ports tree. -- Christian "naddy" Weisgerber naddy@mips.inka.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrntstu8d.22v5.naddy>