[OmniOS-discuss] CA certs redux

[Paul B. Henson]

On Sat, Nov 03, 2012 at 08:30:35AM -0400, Theo Schlossnagle wrote:

> Wget always acts this way. If it finds the cert.pem, it stops.  If you
> remove that file, it will next stat a file in /usr/ssl/certs/.

Huh, yeah, if I remove the symlink so the bundled file isn't found, it
does look for the hashed file. It seems buggy though that if I
explicitly give it the option to look for hashed files in a provided
directory it still looks for and uses the bundled file, ignoring the
option 8-/. But that's nothing to do with omnios.

> > One pedantic concern is that the mozilla nss library includes its own
> > bundled version of CA certs, which would potentially be different than
> > these? That probably won't be a problem in practice though.
> 
> That concern is a real concern.  It certainly violats the principle of
> least surprise.

Heh, I'm glad you think it's an issue :). I didn't really want to harp
on it as it seemed like I was starting to nitpick ;). I originally
suggested to Eric that rather than pull the bundled CA cert file off
curl.haxx.se that the build process for nss rip them out of the
libnssckbi.so library instead, so the nss bundled version and the
external copies were in sync. I'm not sure what the best way to approach
that is from a packaging perspective. That's actually where the current
certs in illumos-gate came from, they were pulled out of the nss version
at the time in the opensolaris repo (with the intention I suppose of
updating them when nss was updated).

> And OPENSSLDIR influences a lot more than just those two paths.  So,
> unless there is a serious issue, I think the softlink back to
> /etc/ssl/... is simple and least intrusive.

For the certs that's functional. For the man pages, with the current
layout they're not found. To make them usable, either they'd need to be
moved into the standard /usr/share/man locations or the default system
manpath would need to be extended to include /usr/ssl/man.

Thanks...