Re: SSL is broken on FreeBSD



On Fri, Apr 01, 2011 at 12:33:30PM -0400, Robert Simmons wrote:
Now, you are also not satisfied with the CA bundle in the ports
collection because it does not contain the CA that you need. I'm not
sure which one it is that you need. But a good place to start is
here:
http://www.mail-archive.com/modssl-users@xxxxxxxxxx/msg16980.html

That contains a perl script for extracting the CA bundle from
Mozilla's CVS. At first glance, it may frustrate you, because it may
not be obvoius where it connects to (that info is obscured). However,
look at the following help file. It has all the connection details
for mozilla's cvsroot that you will need. Just substitute the
"anonymous@xxxxxxxxxxxxxxxxxxxxxx" for "[EMAIL PROTECTED]" in the
script.
https://developer.mozilla.org/en/Mozilla_Source_Code_Via_CVS

The point of security/ca_root_nss is that it is exactly the set of
certs trusted by Mozilla (via the nss library) via the mechanism
described above. The FreeBSD Project makes no warranty that it is a
good set to trust. It just happens to be a set that is widely trusted.

If you are not satisfied with Mozilla's bundle, you can find google
Chrome's list here somewhere:
http://src.chromium.org/viewvc/chrome/

We might actually want to maintain a port of those as well if they
differ in any meaningful way.

-- Brooks

Attachment: pgpovPaLqNavT.pgp
Description: PGP signature