On Sun, 2024-11-17 at 17:47 -0600, Chris Adams wrote: > Once upon a time, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> said: > > On Sun, 2024-11-17 at 14:14 -0600, Chris Adams wrote: > > > Also, there's not a way to test this (e.g. remove the cert.pem symlink > > > and see what breaks); the change says the speed-up is to use the > > > directory-hash format by default... but there's no hashes in > > > /etc/pki/tls/certs. Something needs to be managing those hashes > > > (creating, updating, deleting stale) BEFORE the bundle can be > > > > There are hashes there on my system. They're symlinks to /etc/pki/ca- > > trust/extracted/pem/directory-hash. Both ends of the symlink are owned > > by ca-certificates; I believe the symlinks are set up by its > > scriptlets. > > Hmm, I checked both a system that had Fedora 41 freshly installed and > some systems that were upgraded from Fedora 39 to Fedora 41, and all I > have in /etc/pki/tls/certs is ca-bundle.crt and ca-bundle.trust.crt > symlinks. > > Would it be practical to just configure OpenSSL to use a different > (empty) location for cert.pem, rather than deleting the file? I thought > maybe this would be something that can be configured in openssl.cnf, but > it looks like, when testing with "openssl s_client", it looks for certs > before reading openssl.cnf (which seems weird to me, but so are lots of > OpenSSL's ways). No, it's not runtime configurable AFAIK, and you cannot configure the paths to the cert file and hash dir separately. You specify a single directory at compile time, and it looks there for both. > It also seems backwards to read the full file and THEN look for a hash; > seems like if the hash is intended to be faster, reversing that would be > better anyway. The problem is we have to do this in the code, and it's hard to get anyone to want to touch this as it's sensitive and it's been the way it's been forever. Carrying a downstream patch forever doesn't seem great either. But I would be in favor of this option on the whole, personally. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
