[Bug 284749] certctl: add support for generating cert.pem CAfiles

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 284749] certctl: add support for generating cert.pem CAfiles"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 20 Feb 2025 12:31:35 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749

--- Comment #33 from Michael Osipov <michaelo@FreeBSD.org> ---
(In reply to Franco Fichtner from comment #32)

I have trussed libfetch. libfetch does not have any fallbacks, I have removed
those and uses defaults only.

The behavior is documented, see Comment #18 and
https://docs.openssl.org/master/man3/SSL_CTX_load_verify_locations/#notes

This patch is an option, not the default as a stop-gap *solution* only for
usecase where a upstream/downstream patch is not possible. I don't by the
argument of hardwiring. This totally depends on the OpenSSL type you use, bet
that most are fine with the base version which only uses /etc/ssl. On the
opposite, OpenSSL from ports does NOT use /etc/ssl/certs which is a pity and
PITA.

-- 
You are receiving this mail because:
You are the assignee for the bug.