You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the time being, ssl application has no defaults for Root CA store. It is a user responsibility to provide one, downloaded on the side.
Describe the solution you'd like
Most operating systems have root CA stores available. I'd like to add the OS storage as the default for {cacertfile, ...} option of the ssl application.
Additional context
I have been researching this topic in order to make a Pull Request, when @KennethL mentioned that @dgud and @IngelaAndin are also exploring this space.
I'd like to share some findings and synchronise the development in order to avoid overlaps.
My findings and ideas so far:
centos root CA store is available as /etc/pki/tls/certs/ca-bundle.crt
ubuntu root CA store is at /etc/ssl/certs/ca-certificates.crt
freebsd root CA store is at /usr/local/share/certs/ca-root-nss.crt or /etc/ssl/cert.pem if the former does not exist
mac OS: technically keychain is available at /System/Library/Keychains/SystemRootCertificates.keychain (plus personal keychain), but official API is Keychain Access (also requiring native code)
I can come up with a draft PR covering Linux + FreeBSD. Tackling Windows and MacOS requires agreement on where to put the native code. My hopes would be to add it to crypto application, to avoid introducing extra NIF build complexity for ssl application. If this approach is acceptable, I would suggest for crypto app to have an API providing required access to the certificate store. Alternative is to export this from public_key app, but it also has no associated NIF.
The text was updated successfully, but these errors were encountered:
You are way ahead of me, I have not even started investigating this.
After a short discussion we believe it is best to make it inside public_key, it belongs best there, or maybe
a new application, but start with a new API module in public_key.
In public_key you will need a new configure file but that is easier than changing the current one in crypto anyway.
At the time being,
ssl
application has no defaults for Root CA store. It is a user responsibility to provide one, downloaded on the side.Describe the solution you'd like
Most operating systems have root CA stores available. I'd like to add the OS storage as the default for
{cacertfile, ...}
option of thessl
application.Additional context
I have been researching this topic in order to make a Pull Request, when @KennethL mentioned that @dgud and @IngelaAndin are also exploring this space.
I'd like to share some findings and synchronise the development in order to avoid overlaps.
My findings and ideas so far:
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/usr/local/share/certs/ca-root-nss.crt
or/etc/ssl/cert.pem
if the former does not exist/etc/certs/CA
Several more links to take inspiration from:
I can come up with a draft PR covering Linux + FreeBSD. Tackling Windows and MacOS requires agreement on where to put the native code. My hopes would be to add it to
crypto
application, to avoid introducing extra NIF build complexity forssl
application. If this approach is acceptable, I would suggest forcrypto
app to have an API providing required access to the certificate store. Alternative is to export this frompublic_key
app, but it also has no associated NIF.The text was updated successfully, but these errors were encountered: