Certificate Authorities: curl-ca-bundle, certsync, keychain
Rainer Müller
raimue at macports.org
Fri Dec 6 07:04:36 PST 2013
On 2013-12-06 15:10, Landon Fuller wrote:
>
> On Nov 28, 2013, at 10:32 , Rainer Müller <raimue at macports.org>
> wrote:
>
>> The only catch is that custom added certificates or trust anchors
>> need to be in the system keychain to be picked up by certsync by
>> default.
>
> Yeah, this was an unfortunate trade-off; since certsync is a
> system-wide daemon, and the resulting CA certs file is also
> system-wide, it seemed to be the most appropriate course of action.
> Most of the alternatives involve patching OpenSSL and some of the
> software that depends on it, which is a road I'm personally wary of
> committing to.
Before certsync it was more complicated or even impossible to add your
own certificates into the bundle.
The p11-glue project [1] is an ongoing effort to move certificates,
trust anchors etc. to a single place and let all crypto libraries
(openssl, nss, gnutls, etc.) use a single backend storage. Although
p11-kit is already available in MacPorts, it's used by gnutls only with
curl-ca-bundle.crt as backend (possibly generated by certsync). In the
far future, a backend for p11-kit that uses the OS X keychain directly
could be a solution while avoiding to patch the various crypto libraries.
Rainer
[1] http://p11-glue.freedesktop.org/
More information about the macports-dev
mailing list