> Date: Sat, 26 Aug 2023 08:20:50 -0700 (PDT) > From: Paul Goyette <p...@whooppee.com> > > OK, I tried to read and understand the thread, but not really sure I > succeeded with the understanding part. (In fact, i'm pretty sure I > failed that part, miserably.)
This is about enabling TLS clients -- like ftp(1), pkg_add(1), &c. -- connecting to a server to verify that the server owns the name you used to connect to it, according to a directory of certification authorities (CAs) curated and shipped by Mozilla. This is specifically about managing /etc/openssl/certs, the place where applications using OpenSSL will look by default for trusted CA certificates (or `trust anchors'). > I've got a simple set-up here, running postfix and pine for Email, and > of course f-fox for browsing. I've never done anything (at least, not > deliberately) with certificates; reading and writing Email just works, > as does most browsing. > > Will I need to do anything new (or differently) as a result of these > recent changes? Probably not. - If pine is just reading a local mbox or maildir, or talking to an imap server at localhost, it won't be affected. - I don't think Postfix will do any TLS validation unless you ask it to explicitly with smtp_tls_* or smtpd_tls_* options or similar, which you presumably haven't done. - Firefox uses its own internal trust anchors and is not affected by /etc/openssl/certs. If you currently use security/mozilla-rootcerts or security/ca-certificates (or security/mozilla-rootcerts-openssl) to populate /etc/openssl/certs, and you want to continue to use it, you will have to put the line `manual' in /etc/openssl/certs.conf before you next run postinstall(8).
