On Wed, Dec 21, 2022 at 7:51 PM Peter Kovacs <pe...@apache.org> wrote:
> > Am 21.12.22 um 18:22 schrieb Damjan Jovanovic: > > On Wed, Dec 21, 2022 at 3:37 PM Peter Kovacs <pe...@apache.org> wrote: > > > >> Are we aware on this dependency? > >> > >> I am running into compiler issues using gcc 11.3 from ubuntu 22.04 LTS. > >> > >> > > I am aware. I discovered, and might even have proposed on this list, that > > we use that sqlite database ourselves, to import its CA root > certificates, > > without needing to build and ship NSS as a dependency. > > I remember we discussed sqlite in the topic "[discussion] future > embedded DB in AOO". > > Maybe I missed the point. Or do you refer to the attempt to replace nss > with openssl? > > > Yes, a possible replacement was intended. It was a 22 May 2022 email about the new WebDAV module and CA certificate use by Curl and OpenSSL where I said: ---quote--- With the CURLOPT_CAINFO_BLOB option it might even be possible to skip the custom certificate verification we do later, and pre-populate Curl/OpenSSL with NSS certificates from the beginning, I just don't know enough about NSS to rely on that (eg. if you are using a cryptographic device or smart card in NSS, how does that work?). If that option is ok, then we might not even need the NSS libraries: recent versions of NSS store all the certificates in an SQLite database, which can be accessed with SQLite APIs directly, no need to build with or ship the NSS libraries at all. ---quote--- More recently I discovered p11-kit / p11-glue has the "trust" CLI tool (if not something better) which can also provide those certificates on Linux/BSD, so we wouldn't even need to ship SQLite.
