On 11/01/2018 09:11 PM, Ken Moffat via blfs-dev wrote:
At last, I've found out *what* was telling me that update-leap (from
ntp) was telling me to install Mozilla::CA because it could not find
the system's certificates. And no, it was not LWP-Protocol-https -
the deps listed in update-leap are technically correct.
The item in question is HTTP::Tiny which ntp still claims is an
external module, but has been part of core perl since at least
5.14.1 (the oldest log I have on this machine). And there, the code
says:
# cert list copied from golang src/crypto/x509/root_unix.go
foreach my $ca_bundle (
"/etc/ssl/certs/ca-certificates.crt", #
Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL
"/etc/ssl/ca-bundle.pem", # OpenSUSE
"/etc/openssl/certs/ca-certificates.crt", # NetBSD
"/etc/ssl/cert.pem", # OpenBSD
"/usr/local/share/certs/ca-root-nss.crt", #
FreeBSD/DragonFly
"/etc/pki/tls/cacert.pem", # OpenELEC
"/etc/certs/ca-certificates.crt", # Solaris 11.2+
) {
return $ca_bundle if -e $ca_bundle;
}
die qq/Couldn't find a CA bundle with which to verify the SSL
certificate.\n/
. qq/Try installing Mozilla::CA from CPAN\n/;
}
This looks very like the code I was planning to change in biber if I
could get rid of Mozilla::CA. So, rather than hack on core perl
(and therefore leave it broken for people who have not made the
change), I propose to do something like
mkdir -pv /etc/pki/tls/certs
ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
On a related note, why not gradually make this the official location for
GNUTLS? It made sense in the past, but today OpenSSL and GNUTLS do not
share their certs. GNUTLS shouldn't be looking at OpenSSL's
configuration directory at all. I can change the default in make-ca at a
later date.
--DJ
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
