Re: new certificate stuff

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Sat, 26 Aug 2023 08:20:50 -0700 (PDT)
> From: Paul Goyette <paul%whooppee.com@localhost>
> 
> OK, I tried to read and understand the thread, but not really sure I
> succeeded with the understanding part.  (In fact, i'm pretty sure I
> failed that part, miserably.)

This is about enabling TLS clients -- like ftp(1), pkg_add(1), &c. --
connecting to a server to verify that the server owns the name you
used to connect to it, according to a directory of certification
authorities (CAs) curated and shipped by Mozilla.

This is specifically about managing /etc/openssl/certs, the place
where applications using OpenSSL will look by default for trusted CA
certificates (or `trust anchors').

> I've got a simple set-up here, running postfix and pine for Email, and
> of course f-fox for browsing.  I've never done anything (at least, not
> deliberately) with certificates;  reading and writing Email just works,
> as does most browsing.
> 
> Will I need to do anything new (or differently) as a result of these
> recent changes?

Probably not.

- If pine is just reading a local mbox or maildir, or talking to an
  imap server at localhost, it won't be affected.

- I don't think Postfix will do any TLS validation unless you ask it
  to explicitly with smtp_tls_* or smtpd_tls_* options or similar,
  which you presumably haven't done.

- Firefox uses its own internal trust anchors and is not affected by
  /etc/openssl/certs.

If you currently use security/mozilla-rootcerts or
security/ca-certificates (or security/mozilla-rootcerts-openssl) to
populate /etc/openssl/certs, and you want to continue to use it, you
will have to put the line `manual' in /etc/openssl/certs.conf before
you next run postinstall(8).