On Wed, 20 Sep 2023 08:06:57 +0200, Andreas Vögele wrote:
Francesco P. Lovergine wrote:
> I would simply patch Mozilla::CA to have SSL_ca_file() returning the
> Debian directory /usr/share/ca-certificates/mozilla instead of the
> cacert.pem file. That would avoid to patch third-parties code that
> eventually use explicitly the modules. This is compatible with the
> IO::Socket::SSL module.
> Does it make sense?
Fedora patches Mozilla::CA:
https://src.fedoraproject.org/rpms/perl-Mozilla-CA/tree/rawhide
I'd use /etc/ssl/certs/ca-certificates.crt instead of
/usr/share/ca-certificates/mozilla, though.
I'm still not convinced that this is actually useful but if we go
that way, I also suggest to use /etc/ssl/certs/ca-certificates.crt.
Cf. liblwp-protocol-https-perl/debian/patches/cert.patch:
(Simplified pseudo-patch)
- $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
+ $ssl_opts{SSL_ca_file} = '/etc/ssl/certs/ca-certificates.crt';