[OmniOS-discuss] CA certs redux

Paul B. Henson henson at acm.org
Fri Nov 2 22:57:42 EDT 2012 

On 11/2/2012 6:40 PM, Theo Schlossnagle wrote:

> I think we'd still want a unified file somewhere.  Several apps want
> to load all known CAs in one go, and that is a bit easier from a
> file.

Hmm, true; having both is probably best.

> I think this does the trick:

Cool, thanks. I'm not sure what changed between the previous stable and 
this one, but it looks like openssl (or at least wget) isn't looking for 
the individual hashed files anymore:

# truss wget https://www.csupomona.edu/ 2>&1 | grep /usr/ssl
open64("/usr/ssl/cert.pem", O_RDONLY)           = 3

So just putting them there might not change anything, wget will continue 
to use the single file version. If you just use 'openssl s_client' it 
doesn't even appear to have a default location, you always have to 
specify -CAfile or -CApath, so maybe it's a different version of wget 
with a different default openssl configuration? I no longer have my 
previous stable install to poke at so I'm not sure exactly. Even if I 
explicitly tell wget to use a certificate directory it still seems to 
just use the single file:

# truss wget --ca-directory=/usr/ssl/certs https://www.csupomona.edu/ 
2>&1 | grep /usr/ssl
open64("/usr/ssl/cert.pem", O_RDONLY)           = 3

Dunno 8-/. Other than wget not appearing to look for them, your diff 
looks good to me as far as creating them and making them available.

One pedantic concern is that the mozilla nss library includes its own 
bundled version of CA certs, which would potentially be different than 
these? That probably won't be a problem in practice though.

A different question, why put stuff in /usr/ssl? It looks like there are 
the certificates (which will now be linked to /etc/ssl), man pages 
(which aren't in the default man path and thus not found), a misc 
directory with the CA stuff in it, and an empty private directory.

If openssl is configured to look directly in /etc/ssl, the man pages 
were installed in /usr/share/man, that just leaves the CA directory and 
the empty private directory. It looks like at least some linux 
distributions dump the CA directory in /etc/ssl, another possibility 
would be /usr/share/openssl. I'm not sure what typically goes in the 
private directory? There's nothing in that directory on any of my stuff.

Anyway, thanks much for tuning up the certificate directory. Other than 
that, the last three paragraphs were just design idealism ;).

More information about the OmniOS-discuss mailing list