RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Jonathan Anderson
jonathan at FreeBSD.org
Thu Jul 3 14:57:16 UTC 2014
Bryan Drewery wrote:
> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl.
How very sensible!
> I like the idea of secteam maintaining a ca-root-freebsd.pem even
> better, as long as you are willing to.
Just my $.02, but if the FreeBSD project is to maintain a
ca-root-freebsd.pem, I think it should have one certificate in it: the
root FreeBSD Project cert. Beyond that, I'm not willing to vouch for the
trustworthiness of any CA, and I don't think the Project should either.
Let people install CA bundles from packages, even give admins the choice
of "the Mozilla bundle" vs "Dr Guru's paranoid bundle" vs whatever, but
I don't think the Project should be in the business of endorsing any
particular CA in the base system.
> IMHO always install it, don't depend on MK_OPENSSL. Is the file actually
> specific to OpenSSL? Ports would love to have it be available all the
> time regardless of SSL library choices.
Or we could patch the OpenSSL port to use /usr/local/etc/ssl too?
Jon
--
Jonathan Anderson
jonathan at FreeBSD.org
More information about the freebsd-security
mailing list