Ruediger Meier wrote:
today I wanted to install globally a custom ca-certificate (actually just the ca-certificates-cacert rpm package). I found that it's a bit annoying that this is not easily possible since different programs are using different paths to look for ca certificates and we have a lot duplicated certs installed
For example we have some packages giving us some certificates ca-certificates-mozilla: /usr/share/ca-certificates/mozilla/ kdelibs3: /opt/kde3/share/apps/kssl/ca-bundle.crt kdelibs4: /usr/share/kde4/apps/kssl/ca-bundle.crt (They all have more less the same content.)
Those KDE bundles shouldn't exist. They are from 2009 so horribly out of date. If you find such cases feel free to file bug reports.
My question is, couldn't we do that per default? So that installing custom ca-certificates globally would affect hopefully all possible programs.
I'm currently working on that for 13.1¹. Applications are expected to call SSL_CTX_set_default_verify_paths() resp gnutls_x509_trust_list_add_system_trust() to make them use the system certificate store. No package should hardcode /etc/ssl/certs or any bundle file anymore. NSS applications like Firefox need no change. Just install p11-kit-nss-trust instead of mozilla-nss-certs. cu Ludwig [1] https://features.opensuse.org/314991 -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org