https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #2 from Mel Pilgrim <ports.maintai...@evilphi.com> ---
(In reply to Michael Osipov from comment #1)
Re: OPENSSLDIR
I agree, OpenSSL should. And until it does and the unknown number of ports
stop looking for only /usr/local/openssl/cert.pem (like in that rustsec blocker
for 284404), ${LOCALBASE}/openssl will have to exist. Remember, this is about
being compatible with ca_root_nss while unbreaking what it breaks.
Re: "ca_root_nss-style"
Fixed by way of those commands no longer existing because of...
Re: commands vs rehash flags
That's an easy enough change. Revised patch to follow. It does mean that
do_scan runs more than necessary, and that the create and delete flags now have
a last-flag-wins race. But:
- `certctl createbundles` is now `certctl -b rehash`
- `certctl deletebundles` is now `certctl -B rehash`
Re: env var to force generation
I'm a bit unsure what you're asking for. Are you asking for an env var that
makes `certctl rehash` act as if the command was `certctl -b rehash`? If so,
should be it `certctl -b rehash` or `certctl -be rehash` (i.e., should the env
var always create /etc/ssl/cert.pem as well)?
Re: open ports must be reviewed
I agree, but I would like to keep that discussion in the ca_root_nss PR.
Re: CAfile + CApath dubiousness
I agree that having both is a bit nonsensical, but OpenSSL gave use two options
and the world said "yes both at once thank you". That is, if there's a
performance penalty with having both, it's going to happen whether certctl
generates them or ca_root_nss installs them.
--
You are receiving this mail because:
You are the assignee for the bug.
