https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #18 from Michael Osipov ---
FTR: https://docs.openssl.org/master/man3/SSL_CTX_load_verify_locations/#notes
When looking up CA certificates for chain building, the OpenSSL library will
search for suitable certificates first in C
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #19 from Michael Osipov ---
Will go on to the manpage.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #17 from Michael Osipov ---
I do now understand your approach and it perfectly makes sense. What is
required:
* either document the numeric states of WANTCERTDESTFILE,
* or switch to an string enum approach like "yes" (default),
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #15 from Jordan Morningstar ---
(In reply to Michael Osipov from comment #14)
The first consideration I had was that this can't change how certctl gets used
by things that need a "just update the trust store" command. That inc
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #14 from Michael Osipov ---
(In reply to Jordan Morningstar from comment #13)
Yes, please. ATM I do struggle to understand. I am not saying that is wrong,
but confusing.
--
You are receiving this mail because:
You are the ass
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #13 from Jordan Morningstar ---
(In reply to Michael Osipov from comment #12)
* I do not understand why -B is necessary at all
"Aren't "if [ $WANTCERTDESTFILE -a -e "$CERTDESTFILE" ]" + "if [
$WANTCERTDESTFILE ]" later enough?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #12 from Michael Osipov ---
> * NOOP is not obeyed
Point taken. Resolved.
> * Delete is, again, inconsistent
Resolved.
> * cat arg should be quoted
Agreed.
I do not understand why -B is necessary at all, I mean:
Aren't "if [
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #11 from Michael Osipov ---
Looking through the latest patch, we should discuss the manpage when the code
does not require any more changes.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Jordan Morningstar changed:
What|Removed |Added
Attachment #257538|0 |1
is obsolete|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #9 from Mel Pilgrim ---
Created attachment 257538
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=257538&action=edit
Modified certctl(8) man page
I added the new bits to the man page. I haven't editted a man page bef
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Mel Pilgrim changed:
What|Removed |Added
Attachment #257481|0 |1
is obsolete|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #7 from Michael Osipov ---
(In reply to Mel Pilgrim from comment #6)
Went through, few more issues:
* NOOP is not obeyed
* Delete is, again, inconsistent because look at start of cmd_rehash(), if
checks for existence then it d
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Mel Pilgrim changed:
What|Removed |Added
Attachment #257435|0 |1
is obsolete|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #5 from Mel Pilgrim ---
(In reply to Michael Osipov from comment #4)
* Why is there a BUNDLECMD?
Fair enough. Rewriting for more strict consistency.
* we should have only one CERTDESTFILE
I'll make /etc/ssl/cert.pem the can
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #4 from Michael Osipov ---
(In reply to Mel Pilgrim from comment #2)
Before I get back to these, let me review the new patch first:
* Why is there a BUNDLECMD? I mean we have the rehash, which sweeps and creates
new. We don't
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Mel Pilgrim changed:
What|Removed |Added
Attachment #257429|0 |1
is obsolete|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #2 from Mel Pilgrim ---
(In reply to Michael Osipov from comment #1)
Re: OPENSSLDIR
I agree, OpenSSL should. And until it does and the unknown number of ports
stop looking for only /usr/local/openssl/cert.pem (like in that ru
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
--- Comment #1 from Michael Osipov ---
* There is no OPENSSLDIR ${LOCALBASE}/openssl in base. OpenSSL from ports
should use the truststore from the system. There is an open ticket for this.
* I wouldn't use the term "ca_root_nss-style" in t
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Michael Osipov changed:
What|Removed |Added
CC||micha...@freebsd.org
Attachment #
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284749
Bug ID: 284749
Summary: certctl: add support for generating cert.pem CAfiles
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
20 matches
Mail list logo
