Bug#805646: [Pkg-openssl-devel] Bug#805646: Package using openssl functions does not find default certificates
On Tue, Sep 13, 2022 at 05:23:43PM +0200, Sebastian Andrzej Siewior wrote: > On 2016-01-04 23:50:10 [+0100], Jan Dittberner wrote: > > I don't know whether this will have negative side effects but from my point > > of view it would be nice if the openssl package would do one of the > > following to properly solve this issue: > > > > 1) properly load certificates from /etc/ssl/certs when > >SSL_CTX_set_default_verify_paths is called > > so I guess this works but it does not provide what it should provide, > right Kurt? > > > 2) change the default paths to /etc/ssl/certs and > >/etc/ssl/certs/ca-certificates.crt instead of /usr/lib/ssl/certs and > >/usr/lib/ssl/cert.pem > > > > 3) provide a symlink from /usr/lib/ssl/cert.pem to > >/etc/ssl/certs/ca-certificates.crt > > Kurt, I tend to provide this symlink. Any objections? > I'm kind of confused that it works for others, like curl. But I don't > see anything wrong with what is done in this bug report. We have a symlink from /usr/lib/ssl/certs to /etc/ssl/certs for ages. Kurt
Bug#805646: [Pkg-openssl-devel] Bug#805646: Package using openssl functions does not find default certificates
On 2022-09-13 18:30:05 [+0200], Kurt Roeckx wrote: > > > 3) provide a symlink from /usr/lib/ssl/cert.pem to > > >/etc/ssl/certs/ca-certificates.crt > > > > Kurt, I tend to provide this symlink. Any objections? > > I'm kind of confused that it works for others, like curl. But I don't > > see anything wrong with what is done in this bug report. > > We have a symlink from /usr/lib/ssl/certs to /etc/ssl/certs for ages. what I see is: | openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3 | openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory) | openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory) This is X509_CERT_FILE / X509_get_default_cert_file(). So it would need a symlink from this non existing file to /etc/ssl/certs/ca-certificates.crt which is provided/ created by ca-certificates. > Kurt Sebastian
