http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c3 --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 11:13:41 CEST --- (In reply to comment #2)
Hrm, I guess I'm misunderstanding something: why is it wrong to prefer the file over /etc/ssl/certs if both are updated with update-ca-certificates?
It's not directly wrong but I'd still recommend not using it. openssl for example doesn't need to load all certificates into memory when using the directory so the directory should be preferred.
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part.
Does epiphany use openssl or gnutls? In case of openssl just make it call SSL_CTX_set_default_verify_paths(). gnutls unfortunately doesn't support directories itself so the cheap solution there indeed is to use the bundle file (won't work on older openSUSE though) or just load /etc/ssl/certs/*.pem manually. libpurple does that. OTOH if we'd make all gnutls programs use the bundle I could switch /etc/ssl/certs to use certificiates with openssl trust bits. gnutls currently doesn't support such trusted certificates so the system certificates are restricted to ones trusted for "serverAuth" only. See also https://bugzilla.redhat.com/show_bug.cgi?id=466626#c18 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.