Ruediger Meier wrote:
On Friday 02 August 2013, Ludwig Nussel wrote:
Ruediger Meier wrote:
Just checked again, On opensuse 11.4 (and probably still on 12.3) custom files in /etc/ssl/certs/ were not removed by update-ca-certificates. IMO we should keep that behavior if possible. update-ca-certificates only creates symlinks to it's well known paths, Why not only removing exactly such symlinks.
It does exactly that atm.
No it seems to remove ALL symlinks:
$ ln -s /usr/share/ca-certificates/my/bla.pem /etc/ssl/certs/bla.pem $ ll /etc/ssl/certs/bla.pem /etc/ssl/certs/bla.pem -> /usr/share/ca-certificates/my/bla.pem $ update-ca-certificates $ ll ssl/certs/bla.pem ls: cannot access ssl/certs/bla.pem: No such file or directory
(It also removes symlinks to other paths)
Yes, it outputs a warning telling you the correct location for wrong symlinks though. The above case is a symlink to a well known location previously managed by update-ca-certificates so it's removed without warning. I'll remove the unlink in the other case, otherwise the warning would be hidden in the update logs I guess.
What I am saying is that a) creating and removing hundreds of symlinks in /etc sucks and b) custom certificates in /etc/ssl/certs no longer work as neither openssl nor gnutls use /etc/ssl/certs anymore.
Ah ok, I have not updated openssl yet. Why we don't want to use /etc/ssl/ anymore although we always keep it up-to-date? If we really want to break all openssl users on all systems with custom certs in /etc/ssl then I don't understand why we still want to keep and update /etc/ssl/certs at all.
For compatibility with programs that still hardcode /etc/ssl/certs instead of calling SSL_CTX_set_default_verify_paths(). Openssl itself doesn't use that path anymore to be able to use "trusted certs". Ie ones that are also valid for email or code signing. /etc/ssl/certs may only hold certs valid for server auth to stay compatible. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org