Re: [dev] [stali] Root CA certificates

From: Michael Forney <mforney_AT_mforney.org>
Date: Sun, 23 Oct 2016 14:12:14 -0700

On 10/23/16, Bruno Vetter <simplelife2010_AT_outlook.com> wrote:
>> I suggest just grabbing cert.pem from libressl.
>
> Thanks for the quick reply. Do you know if there is a designated default
> path for certs in stali?

It looks like the stali curl_config.h sets CURL_CA_BUNDLE to
/etc/ssl/certs/ca-certificates.crt[0]. I suspect that this is the
detected location for the cert bundle on the system used to run curl's
configure script.

> From what I see, stali's curl is not built with any certs default path or
> default bundle file.

See above.

> I don't know if it falls back to some libressl settings
> in that case (I have no openssl.cnf yet). Same question for other
> applications using certs like git.

I believe git uses libcurl, so probably just uses the path specified
in curl. It looks like the default path in libressl is to use
OPENSSLDIR "/cert.pem", and stali is using the default value of
OPENSSLDIR, /etc/ssl.

So, other applications that use libressl directly and have no default
are probably looking for it in /etc/ssl/cert.pem.

> I just want to understand how it's meant to work.

I don't know how it's meant to work on stali, but on my system, I
install cert.pem to /share/libressl/cert.pem, and create a symlink
/etc/ssl/cert.pem -> ../share/libressl/cert.pem, and set
CURL_CA_BUNDLE to /etc/ssl/cert.pem.
Received on Sun Oct 23 2016 - 23:12:14 CEST

This archive was generated by hypermail 2.3.0 : Sun Oct 23 2016 - 23:24:12 CEST