Location of the SSL CA root store (affects fetch(1) from base, ftp/wget, ftp/curl, and probably all software using OpenSSL)

Moritz Wilhelmy mw+freebsd at barfooze.de
Fri Mar 4 17:20:08 UTC 2016


First off, I've been considering to report this as multiple bugs and it
is a tough decision for me because I think there should be more internal
discussion about what the project thinks about the official location for
CA root certificate storage, so I'm sending this to the lists instead,
and hoping I reach the right people. Please excuse any mistakes in this
regard, I'm new on the lists.

Is there a guideline or official stance regarding where software should
look for the CA Root certificate store? If not, I think there should be.

Tested on FreeBSD 10.1 with curl 7.47.0 and wget 1.16 with OpenSSL from
the base system and no OpenSSL port installed.


fetch looks for CA root certificates in /usr/local/etc/ssl/certs, which
seems counterintuitive given that it is part of the base system.

Command used (for easy copy-pasting):
$ truss fetch -o /dev/null https://cacert.org 2>&1 | grep ^open


ftp/wget only looks at /etc/ssl/certs, which is again counterintuitive
given that it's a 3rd party package installed via the ports framework.

$ truss wget -O /dev/null https://cacert.org 2>&1 | grep ^open


curl with the ca-root-nss option only looks at the file installed by
that package that contains all NSS root certificates, but it completely
ignores the CA certificate storage at /etc/ssl/certs as well as
${LOCALBASE}/etc/ssl/certs, instead it only ever looks at
${LOCALBASE}/share/certs/ca-root-nss.crt, where a sysadmin can't add
certificates without their changes being overwritten by subsequent
updates to the CA bundle package. (I've confirmed this via truss(1) but
curl -v prints this path as well).

I haven't tried recompiling curl without the option to see where it
would look for root certificates.

$ truss curl -o /dev/null https://cacert.org 2>&1 | grep ^open

Best regards,


More information about the freebsd-questions mailing list