On 2015-07-30, Ted Unangst <t...@tedunangst.com> wrote: > Michael McConville wrote: >> > Another meat could be, why you're using self-signed certificates? >> > Given the plethora of options for getting free (valid) certificates. >> >> He mentioned in his original email that it's a requirement where he >> works. That's common, from what I hear, although probably not the >> safest. > > I would consider a cert signed by somebody I actually trust (me) safer than > delegating that trust to 300 strangers.
I think cert.pem should move to the etc set, so you can remove CAs from the file (as well as add new ones) without risk of those changes getting reverted. Downside: CA changes will then only take effect after running sysmerge. Is that a problem? Index: base/mi =================================================================== RCS file: /cvs/src/distrib/sets/lists/base/mi,v retrieving revision 1.716 diff -u -p -r1.716 mi --- base/mi 16 Jul 2015 21:28:06 -0000 1.716 +++ base/mi 30 Jul 2015 17:14:15 -0000 @@ -221,7 +221,6 @@ ./etc/skel/.ssh ./etc/ssh ./etc/ssl -./etc/ssl/cert.pem ./etc/ssl/lib ./etc/ssl/private ./etc/systrace Index: etc/mi =================================================================== RCS file: /cvs/src/distrib/sets/lists/etc/mi,v retrieving revision 1.199 diff -u -p -r1.199 mi --- etc/mi 3 Jul 2015 22:52:52 -0000 1.199 +++ etc/mi 30 Jul 2015 17:14:15 -0000 @@ -42,6 +42,7 @@ ./etc/spwd.db ./etc/ssh/ssh_config ./etc/ssh/sshd_config +./etc/ssl/cert.pem ./etc/ssl/openssl.cnf ./etc/ssl/x509v3.cnf ./etc/syslog.conf
