[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#407550: Bug#600493: ca-certificates depends on openssl, but it's not a necessity

On Sun, Oct 17, 2010, Michael Orlov wrote:
> So, the usecase is instead: not having libssl/openssl installed at all,
> but still having the individual certificates in various directories
> (most bundled with the ca-certificates package), and having the ability
> to combine the trusted ones into ca-certificates.crt, using
> update-ca-certificates, for use by gnutls (or nss).
> c_rehash is not needed for that. I suggest removing the openssl
> dependency, and putting a check for c_rehash existence into
> update-ca-certificates.

 It's a fair request to avoid the openssl dependency.  I am an user of
 the hashed certificates feature, and there is an important performance
 gain for processes not to have to read and parse the whole pile of
 certs in /etc/ssl/certs/ca-certificates.crt but instead just load the
 right one by fingerprint from /etc/ssl/certs/ symlinks.  This is what
 Postfix does with its smtp_tls_CApath and smtpd_tls_CApath options, and
 the Postfix TLS README explains that this is faster than using a single
 CAfile.  (See openssl s_client -CAfile/-CApath flags for
 implementations.)  In the case of Postfix, it's important because the
 processes are short-lived, I expect Apache to be in a similar

 Now, in terms of implementation, update-ca-certificates supports hooks;
 I think hooks should be used to generate these symlinks, and that a new
 openssl hook should test whether c_rehash is present before calling it.

 There's a catch that ca-certificates.crt is in the same directory as
 the other certificates, and should be moved away before calling

Loïc Minier

Reply to: