[OmniOS-discuss] ssl root CA certs

Theo Schlossnagle jesus at omniti.com
Sun Oct 14 09:44:22 EDT 2012


That change sounds completely reasonable. Having the certs in gate
seems rather short-sighted.  Once that happens, we'll cope fine.

On Sat, Oct 13, 2012 at 9:06 PM, Paul B. Henson <henson at acm.org> wrote:
> On Fri, Oct 12, 2012 at 11:53:07AM -0400, Eric Sproul wrote:
>
>> It looks like these certs are at least 18 months old, judging solely
>> by the mod times.  I'm not certain how often they get updated, but
>> given the changes I've observed in the bundle we get from haxx.se,
>> this collection almost certainly contains stale data.  Given that, do
>> we still want to encourage the use of that set or just point apps at
>> /etc/cacert.pem which is more up to date?
>
> The illumos dev list was in favor of just removing them from
> illumos-gate, so I'm going to put together an RTI to do so. I don't know
> if it will go through before you branch the next stable though, I guess
> you could always cherrypick that commit.
>
> I think the cleanest thing to do to is to have a set of individual certs
> and openssl hashes to them that correspond to whatever certs are bundled
> in the libnssckbi.so included in the mozilla-nss package, so behavior
> between apps using nss and apps using openssl matches. From a packaging
> perspective, I don't know if it would be better to just have them part
> of the nss package or have them in a separate package.
>
> On the one hand, I suppose you can just get the latest list from
> Mozilla's repo, on the other, that won't necessarily match the nss
> version, and if the changes are important enough, an update of the nss
> package including them would also be warranted, which if the package
> included the plain text external certs too, would bring them along.
>
> Thoughts?
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss



-- 
Theo Schlossnagle

http://omniti.com/is/theo-schlossnagle


More information about the OmniOS-discuss mailing list