RE: Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Pete Cooper
> Sent: Saturday, August 24, 2019 13:10

> The `config` and subsequent `make` complete without any visible issues shown. However,
> /etc/php/shared/openssl/certs is an empty directory.

> Are there OpenSSL compile flags to explicitly build or obtain the current up-to-date
> *.pem files for my PHP-only OpenSSL build, or should be looking elsewhere?

I haven't seen a response to this on the list.

OpenSSL does not include a collection of trusted certificates. You need to get them from some other source. You may copy them from your OS distribution, for example.

Another popular source is the Mozilla certificate collection. Adam Langley wrote a Go program that converts the Mozilla collection to PEM and excludes those marked as untrusted; you can find it at:

   https://github.com/agl/extract-nss-root-certs

(And Go itself is available from https://golang.org, of course, if you don't have that installed.)

There are many opinions about what constitutes a good collection of trust anchors for various applications. Some people feel the collections provided with most OS and browser distributions are too generous, and saccrifice security for interoperability. If you're going to assemble a set of trust anchors that includes public CAs, it may be a good idea to familiarize yourself with the issues. Ivan Ristic's /Bulletproof SSL and TLS/ (available at https://feistyduck.com) has a good survey.

--
Michael Wojcik
Distinguished Engineer, Micro Focus







[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux