Date: Sat, 18 Dec 2021 20:37:27 +0100 From: Andrea Venturoli <ml@netfence.it> To: Kyle Evans <kevans@freebsd.org> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>, tijl@FreeBSD.org Subject: Re: How to populate /etc/ssl/certs Message-ID: <d605913c-ced7-a4dc-f24d-22e4ba957419@netfence.it> In-Reply-To: <3f4fcb27-06e1-ee30-b16e-30d202427f28@netfence.it> References: <aeb690a3-00bd-1edc-5e36-7b94d63e2730@netfence.it> <CACNAnaH1GkZn0RkVEdLTLdnc82O1h=c-Vvh6=aApGMDfAWBvbg@mail.gmail.com> <86ed5dab-6476-efa7-5ecf-7477bfefc1e9@netfence.it> <CACNAnaFijz1ibsk13LQT38ErguNAf13d6v8MqZt%2Beg%2BOGt2ZbA@mail.gmail.com> <3f4fcb27-06e1-ee30-b16e-30d202427f28@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/17/21 10:49, Andrea Venturoli wrote:
>> The current incarnation of
>> security/ca_root_nss will likely go away in the near-to-mid future and
>> might be replaced with a version that installs certctl compatible
>> roots at some point.
>
> I'm looking forward to it, though some software seems to still look for
> the single pem file.
security/gnutls seems to be a culprit here.
It will configure with:
> --with-default-trust-store-file=${LOCALBASE}/share/certs/ca-root-nss.crt
and optionally:
> P11KIT_CONFIGURE_ON= --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit"
Upstream supports:
> --with-default-trust-store-dir=DIR
> use the given directory as default trust store
So, possibly the port should use
> --with-default-trust-store-dir=/etc/ssl/certs
?
(I haven't had time to try this yet, though).
bye & Thanks
av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d605913c-ced7-a4dc-f24d-22e4ba957419>