[OmniOS-discuss] ssl root CA certs
Paul B. Henson
henson at acm.org
Sat Oct 13 21:06:48 EDT 2012
On Fri, Oct 12, 2012 at 11:53:07AM -0400, Eric Sproul wrote:
> It looks like these certs are at least 18 months old, judging solely
> by the mod times. I'm not certain how often they get updated, but
> given the changes I've observed in the bundle we get from haxx.se,
> this collection almost certainly contains stale data. Given that, do
> we still want to encourage the use of that set or just point apps at
> /etc/cacert.pem which is more up to date?
The illumos dev list was in favor of just removing them from
illumos-gate, so I'm going to put together an RTI to do so. I don't know
if it will go through before you branch the next stable though, I guess
you could always cherrypick that commit.
I think the cleanest thing to do to is to have a set of individual certs
and openssl hashes to them that correspond to whatever certs are bundled
in the libnssckbi.so included in the mozilla-nss package, so behavior
between apps using nss and apps using openssl matches. From a packaging
perspective, I don't know if it would be better to just have them part
of the nss package or have them in a separate package.
On the one hand, I suppose you can just get the latest list from
Mozilla's repo, on the other, that won't necessarily match the nss
version, and if the changes are important enough, an update of the nss
package including them would also be warranted, which if the package
included the plain text external certs too, would bring them along.
Thoughts?
More information about the OmniOS-discuss
mailing list