Mailinglist Archive: opensuse-bugs (4736 mails)

< Previous Next >
[Bug 594501] update-ca-certificates doesn't generate /etc/ssl/cert.pem
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 8 Apr 2010 09:13:42 +0000
  • Message-id: <20100408091342.39C50245467@xxxxxxxxxxxxxxxxxxxxxx>
http://bugzilla.novell.com/show_bug.cgi?id=594501

http://bugzilla.novell.com/show_bug.cgi?id=594501#c3


--- Comment #3 from Ludwig Nussel <lnussel@xxxxxxxxxx> 2010-04-08 11:13:41 CEST
---
(In reply to comment #2)
Hrm, I guess I'm misunderstanding something: why is it wrong to prefer the
file
over /etc/ssl/certs if both are updated with update-ca-certificates?

It's not directly wrong but I'd still recommend not using it.
openssl for example doesn't need to load all certificates into
memory when using the directory so the directory should be
preferred.

Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have
/etc/ssl/ca-bundle.pem either ;-)

Is ca-certificates-mozilla installed?

As for epiphany: it's a build time option. Right now, we pass
--without-ca-file
to configure since we don't have any file to use, so it's not related to bug
594434. By default, it was checking for the existence of a file, so the build
was failing, but I can force a path and it won't check the existence during
the
build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I
need to know to fix the epiphany part.

Does epiphany use openssl or gnutls? In case of openssl just make it
call SSL_CTX_set_default_verify_paths(). gnutls unfortunately
doesn't support directories itself so the cheap solution there
indeed is to use the bundle file (won't work on older openSUSE
though) or just load /etc/ssl/certs/*.pem manually. libpurple does
that.
OTOH if we'd make all gnutls programs use the bundle I could switch
/etc/ssl/certs to use certificiates with openssl trust bits. gnutls
currently doesn't support such trusted certificates so the system
certificates are restricted to ones trusted for "serverAuth" only.
See also https://bugzilla.redhat.com/show_bug.cgi?id=466626#c18

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References