[Bug 284749] certctl: add support for generating cert.pem CAfiles

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 20 Feb 2025 12:26:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749

--- Comment #32 from Franco Fichtner <franco@opnsense.org> ---
truss which application? Some applications (like fetch, well libfetch library
really) have or have had bundle fallbacks that disable the hash dir.

The OpenSSL documentation doesn't specify a load order or restrictions. I'm not
saying it doesn't exist so you could be right.

Given this point we still don't want OpenSSL to load the bundle instead then?
That would be a step backwards from certctl introduction. All I'm saying is
that moving the bundle to a default location is not a good idea as it has
impact on the hash dir which is not obvious to the user or is or will never be
properly documented / safeguarded against.

ca_root_nss doing it for legacy reasons is one thing. But also most ports are
hardwired to use /usr/local/etc/ssl/cert.pem which is a perfectly fine bundle
location not tainting the base (or ports) OpenSSL behaviour and would even
allow the removal of ca_root_nss (to some degree).

-- 
You are receiving this mail because:
You are the assignee for the bug.