FS#69298 - [libressl][ca-certificates-utils] /etc/libressl/cert.pem should use certs from /etc/ca-certificates/

Attached to Project: Community Packages
Opened by nl6720 (nl6720) - Tuesday, 12 January 2021, 07:56 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:08 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Levente Polyak (anthraxx)
Bruno Pagani (ArchangeGabriel)
T.J. Townsend (blakkheim)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

The libressl package ships with its own CA certificates packed in /etc/libressl/cert.pem. This doesn't seem right.
It should instead use the certs from /etc/ca-certificates/extracted/tls-ca-bundle.pem like it's done for openssl with the /etc/ssl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem symlink provided by ca-certificates-utils.

IMHO /etc/libressl/cert.pem should be removed from libressl and ca-certificates-utils should provide a /etc/libressl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem symlink.


Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
libressl 3.2.3-1
ca-certificates-utils 20181109-4
ca-certificates 20181109-4
ca-certificates-mozilla 3.60.1-1


Steps to reproduce:
$ diff /etc/ssl/cert.pem /etc/libressl/cert.pem
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:08 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/libressl/issues/1
Comment by Eli Schwartz (eschwartz) - Wednesday, 27 January 2021, 21:58 GMT
  • Field changed: Attached to Project (Arch Linux → Community Packages)
the ca-certificates-utils package should not need to provide a symlink for this community package, it should be the libressl package's responsibility. :D
Comment by Eli Schwartz (eschwartz) - Wednesday, 27 January 2021, 22:01 GMT
IMHO we can fix this by dropping libressl in favor of https://archlinux.org/packages/community/x86_64/libretls/ (just uploaded).

openntpd should build fine with it, future versions of opensmtpd "should" use libtls rather than libressl's libssl.so

Comment by Mikhail N (mikhailnov) - Wednesday, 06 July 2022, 13:01 GMT
Why not just point libressl to /etc/ssl?
Comment by Mikhail N (mikhailnov) - Wednesday, 06 July 2022, 13:03 GMT
To point libressl to /etc/ssl the following is needed:
1) ./configure --with-openssldir=/etc/ssl
2) patch https://abf.io/import/libressl/blob/370f55c1a3/0001-Allow-custom-config-location.patch to separate config from OpenSSL
Comment by nl6720 (nl6720) - Saturday, 18 March 2023, 13:52 GMT
libressl should be added of the https://archlinux.org/todo/use-system-ca-store/ TODO.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.
Comment by jakob (grandchild) - Thursday, 05 October 2023, 13:20 GMT
Right now, no package seems to depend on it, so we might as well drop the package from the repo?

Loading...