[MacPorts] #35474: RFE: Have curl-ca-bundle install individual .pem files in ${prefix}/etc/openssl/certs

MacPorts noreply at macports.org
Sat May 11 19:33:50 PDT 2013 

#35474: RFE: Have curl-ca-bundle install individual .pem files in
${prefix}/etc/openssl/certs
-----------------------------+-----------------------
  Reporter:  landonf@…       |      Owner:  landonf@…
      Type:  enhancement     |     Status:  new
  Priority:  Normal          |  Milestone:
 Component:  ports           |    Version:
Resolution:                  |   Keywords:
      Port:  curl-ca-bundle  |
-----------------------------+-----------------------

Comment (by landonf@…):

 I finally had time to look at this; it turned out to be pretty easy (well,
 the non-Java part, anyway). See the attached certsync.m; it exports anchor
 certificates from the system keychain.

 To compile:

 {{{
 clang -mmacosx-version-min=10.6 certsync.m -o certsync -framework
 Foundation -framework Security -fobjc-arc
 }}}

 Example usage:

 {{{
 ./certsync -o /opt/local/etc/openssl/cert.pem (this overwrites the curl-
 ca-bundle symlink)
 }}}

 This will write out all OS-included CA certs, as well as any CA certs that
 have been installed system-wide by the user -- this ought to make life a
 *lot* easier for anyone that works for a company that manages internal
 private CAs.

 I'm open to suggestions on how best to integrate this into MacPorts;
 ideally it would be run automatically at activate-time, along with a user-
 executable script to update the certificates (or via cron, or via
 monitoring the keychain, or ...).

 Since curl is configured with a non-standard certificate path, the above
 certsync command won't affect it. You can test with curl by overwriting
 the actual path curl is configured with:

 {{{
 ./certsync -o /opt/local/etc/openssl/cert.pem (this overwrites the curl-
 ca-bundle symlink)
 }}}

 Short of patching curl to use SSL_CTX_set_default_verify_paths(), we
 should probably change the curl port to use:

 {{{
 --with-ca-bundle=${prefix}/etc/openssl/cert.pem
 }}}

-- 
Ticket URL: <https://trac.macports.org/ticket/35474#comment:9>
MacPorts <http://www.macports.org/>
Ports system for OS X

More information about the macports-tickets mailing list