Once upon a time, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> said: > On Sun, 2024-11-17 at 14:14 -0600, Chris Adams wrote: > > Also, there's not a way to test this (e.g. remove the cert.pem symlink > > and see what breaks); the change says the speed-up is to use the > > directory-hash format by default... but there's no hashes in > > /etc/pki/tls/certs. Something needs to be managing those hashes > > (creating, updating, deleting stale) BEFORE the bundle can be > > There are hashes there on my system. They're symlinks to /etc/pki/ca- > trust/extracted/pem/directory-hash. Both ends of the symlink are owned > by ca-certificates; I believe the symlinks are set up by its > scriptlets. Hmm, I checked both a system that had Fedora 41 freshly installed and some systems that were upgraded from Fedora 39 to Fedora 41, and all I have in /etc/pki/tls/certs is ca-bundle.crt and ca-bundle.trust.crt symlinks. Would it be practical to just configure OpenSSL to use a different (empty) location for cert.pem, rather than deleting the file? I thought maybe this would be something that can be configured in openssl.cnf, but it looks like, when testing with "openssl s_client", it looks for certs before reading openssl.cnf (which seems weird to me, but so are lots of OpenSSL's ways). It also seems backwards to read the full file and THEN look for a hash; seems like if the hash is intended to be faster, reversing that would be better anyway. -- Chris Adams <linux@xxxxxxxxxxx> -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue