On Wed, 20 Sep 2023 08:06:57 +0200, Andreas Vögele wrote:
> Francesco P. Lovergine wrote:
> > I would simply patch Mozilla::CA to have SSL_ca_file() returning the
> > Debian directory /usr/share/ca-certificates/mozilla instead of the
> > cacert.pem file. That would avoid to patch third-parties code that
> > eventually use explicitly the modules. This is compatible with the
> > IO::Socket::SSL module.
> > Does it make sense?
> Fedora patches Mozilla::CA:
> https://src.fedoraproject.org/rpms/perl-Mozilla-CA/tree/rawhide
> I'd use /etc/ssl/certs/ca-certificates.crt instead of
> /usr/share/ca-certificates/mozilla, though.
I'm still not convinced that this is actually useful but if we go
that way, I also suggest to use /etc/ssl/certs/ca-certificates.crt.
Cf. liblwp-protocol-https-perl/debian/patches/cert.patch:
(Simplified pseudo-patch)
- $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
+ $ssl_opts{SSL_ca_file} = '/etc/ssl/certs/ca-certificates.crt';
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
Attachment:
signature.asc
Description: Digital Signature