From owner-freebsd-questions@freebsd.org Thu Feb 25 01:30:57 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3BC31551E89 for ; Thu, 25 Feb 2021 01:30:57 +0000 (UTC) (envelope-from hmurray@megapathdsl.net) Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by mx1.freebsd.org (Postfix) with ESMTP id 4DmFbz6vMPz3Cd3 for ; Thu, 25 Feb 2021 01:30:55 +0000 (UTC) (envelope-from hmurray@megapathdsl.net) Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 31F0F40605C; Wed, 24 Feb 2021 17:30:38 -0800 (PST) X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3 To: Andrea Venturoli cc: freebsd-questions@freebsd.org, hmurray@megapathdsl.net From: Hal Murray Subject: Re: SSL Certificates in base In-Reply-To: Message from Andrea Venturoli of "Wed, 24 Feb 2021 16:51:08 +0100." <18544615-2337-20d0-4720-1b7d3c50ffaa@netfence.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Feb 2021 17:30:38 -0800 Message-Id: <20210225013038.31F0F40605C@ip-64-139-1-69.sjc.megapath.net> X-Rspamd-Queue-Id: 4DmFbz6vMPz3Cd3 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of hmurray@megapathdsl.net has no SPF policy when checking 64.139.1.69) smtp.mailfrom=hmurray@megapathdsl.net X-Spamd-Result: default: False [0.50 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[64.139.1.69:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[megapathdsl.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[64.139.1.69:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:4565, ipnet:64.139.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2021 01:30:57 -0000 ml@netfence.it said: > Will installing ca_root_nss override the base certs as a whole? Does anything > that uses certs get the union of the two? The client side API in OpenSSL is use this directory and this file for the default root certificate collection. The file is a collection of certs cat-ed together. It gets read in at when the API is called. The directory is a collection of hashed names that link over to another directory of cert files. There is a utility that sets up the hash links. Details in SSL_CTX_set_default_verify_paths I'm pretty sure you can set things up so you can add your certificates in there. I don't have the details. but it feels like a simple HOWTO would cover it once somebody figures out how to do it. -- These are my opinions. I hate spam.