On Friday 26 July 2013, Ludwig Nussel wrote:
Ruediger Meier wrote:
today I wanted to install globally a custom ca-certificate (actually just the ca-certificates-cacert rpm package). I found that it's a bit annoying that this is not easily possible since different programs are using different paths to look for ca certificates and we have a lot duplicated certs installed
For example we have some packages giving us some certificates ca-certificates-mozilla: /usr/share/ca-certificates/mozilla/ kdelibs3: /opt/kde3/share/apps/kssl/ca-bundle.crt kdelibs4: /usr/share/kde4/apps/kssl/ca-bundle.crt (They all have more less the same content.)
Those KDE bundles shouldn't exist. They are from 2009 so horribly out of date. If you find such cases feel free to file bug reports.
My question is, couldn't we do that per default? So that installing custom ca-certificates globally would affect hopefully all possible programs.
I'm currently working on that for 13.1¹. Applications are expected to call SSL_CTX_set_default_verify_paths() resp gnutls_x509_trust_list_add_system_trust() to make them use the system certificate store. No package should hardcode /etc/ssl/certs or any bundle file anymore. NSS applications like Firefox need no change. Just install p11-kit-nss-trust instead of mozilla-nss-certs.
Ok, now I've tried out the new p11-kit* and ca-certificates* packages. It works pretty well but I have a few issues: 1. It's not nice that /etc/ssl/openssl.cnf is disabled right now. I understand that you want to reduce the Factory packages which are using it. But it's unusable for users who need it. Actually this is completely against the idea to unify the certs stuff and to make it easier to use. 2. Shouldn't /usr/share/ca-certificates still be parsed for compatibility. What if users have installed custom certs there? 3. Is it correct that ca-certificates-cacerts are installed in /usr/share/pki/trust/anchors/ but ca-certificates-mozilla above in /usr/share/pki/trust/ BTW if somebody is interested, I've build these packages for old suse versions >= 11.4 in home:rudi_m ca-certificates ca-certificates-cacert ca-certificates-mozilla p11-kit cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org