Error validating server certificate
Kurt Jaeger
pi at freebsd.org
Sun Sep 16 16:54:33 UTC 2018
Hi!
> > You will not see this if you install the security/ca_root_nss port.
> Why is security/ca_root_nss not present in base?
There are several reasons:
- The project is hesistant to endorse certificate authorities (CAs), as some
of them might be (or become) of questionable trust-worthyness
during the lifetime of a release and adding/changing all or some to base
would add workload to decide which ones to include or to exclude.
- The amount of work to cut a new release or a patch for a release
is large. If you look at the update frequency for the port:
https://www.freshports.org/security/ca_root_nss/
it would burden the project with base updates just for the CAs.
- Some suggested that the FreeBSD project should operate its own CA and
issue certs for project sites and include the CA into base.
Running and securing a CA is not a simple endeavour so we hesitated
to do so.
> I mean, on a brand new install, one goes to update the sources, and just
> the sources. And this error is issued?
>
> I think it looks bad. Do you agree?
Yes, we all agree that it looks bad, but we have not yet found a simple,
workable solution. Yes, it was discussed many times in the past.
--
pi at FreeBSD.org +49 171 3101372 2 years to go !
More information about the freebsd-stable
mailing list