Re: F42 Change Proposal: dropping Of cert.pem file (System-Wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> said:
> On Sun, 2024-11-17 at 14:14 -0600, Chris Adams wrote:
> > Also, there's not a way to test this (e.g. remove the cert.pem symlink
> > and see what breaks); the change says the speed-up is to use the
> > directory-hash format by default... but there's no hashes in
> > /etc/pki/tls/certs.  Something needs to be managing those hashes
> > (creating, updating, deleting stale) BEFORE the bundle can be
> 
> There are hashes there on my system. They're symlinks to /etc/pki/ca-
> trust/extracted/pem/directory-hash. Both ends of the symlink are owned
> by ca-certificates; I believe the symlinks are set up by its
> scriptlets.

Hmm, I checked both a system that had Fedora 41 freshly installed and
some systems that were upgraded from Fedora 39 to Fedora 41, and all I
have in /etc/pki/tls/certs is ca-bundle.crt and ca-bundle.trust.crt
symlinks.

Would it be practical to just configure OpenSSL to use a different
(empty) location for cert.pem, rather than deleting the file?  I thought
maybe this would be something that can be configured in openssl.cnf, but
it looks like, when testing with "openssl s_client", it looks for certs
before reading openssl.cnf (which seems weird to me, but so are lots of
OpenSSL's ways).

It also seems backwards to read the full file and THEN look for a hash;
seems like if the hash is intended to be faster, reversing that would be
better anyway.

-- 
Chris Adams <linux@xxxxxxxxxxx>
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux