pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/50690: lang/go invalid path to ca-certificates.crt
The following reply was made to PR pkg/50690; it has been noted by GNATS.
From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: pkg/50690: lang/go invalid path to ca-certificates.crt
Date: Fri, 22 Jan 2016 16:11:44 +0100
Hello Kamil, Benny and Thomas,
Thomas Klausner writes:
> NetBSD doesn't ship this at all.
> =
> And security/mozilla-rootcerts defaults to /etc/openssl/certs.
That's true, altough after ktruss(1)-ing various applications that uses
SSL certificates it seems that they all end up to first try
/etc/openssl/cert.pem and then find a valid certificate in /etc/openssl,
e.g.:
$ ktruss openssl s_client -connect netbsd.org:443 < /dev/null 2>/dev/null=
| sed -ne '/open/ { /etc/p }'
[...]
5134 1 openssl open("/etc/openssl/cert.pem", 0, 0x1b6) Err#2 ENOE=
NT
[...]
5134 1 openssl __stat50("/etc/openssl/certs/e2799e36.0", 0x7f7fff=
ffcb90) =3D 0
5134 1 openssl open("/etc/openssl/certs/e2799e36.0", 0, 0x1b6) =3D=
6
[...]
After trying to better figure out that it seems that in
src/crypto/external/bsd/openssl/dist/crypto/cryptlib.h:83, we have:
[...]
# define X509_CERT_AREA OPENSSLDIR
# define X509_CERT_DIR OPENSSLDIR "/certs"
# define X509_CERT_FILE OPENSSLDIR "/cert.pem"
# define X509_PRIVATE_DIR OPENSSLDIR "/private"
[...]
(...where OPENSSLDIR is defined in src/crypto/Makefile.openssl as
"/etc/openssl")
So, the best way to handle this PR IMHO is to:
- pkgsrc/security/mozilla-rootcerts: change $certdir to
"/etc/openssl" (line 24) and "ca-certificates.crt" (line 205)
in files/mozilla-rootcerts.sh
- update lang/go (and probably lang/go14 too) accordingly
to use "/etc/openssl/cert.pem" as certFiles.
I can handle both if need but I'd like a feedback from a more
experienced eyes than mine!
Thank you in advance!
Ciao,
L.
Home |
Main Index |
Thread Index |
Old Index