Mail Archives: cygwin/2025/02/28/02:20:40

Andrey Repin via Cygwin <cygwin AT cygwin DOT com> · Fri, 28 Feb 2025 10:05:38 +0300

Greetings, ASSI!

> Andrey Repin via Cygwin writes:
>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt is missing from my
>> system.
>> The `update-ca-trust extract` doesn't even touch it.
>>
>> What happened?

> Fedora dropped the command that creates the file and removed it from
> distribution here:

> https://src.fedoraproject.org/rpms/ca-certificates/c/7dc60cbc6b0b87462acf6c524bfbd85f1550bec4?branch=rawhide

> You can manually create it like this if it's still needed (I would likel
> to know what for):

Not all programs can use hashdir. More so, in many places it was said the
bundle is preferred over the hashdir.
I.e. the PHP openssl module configuration says this:

>> openssl.cafile string
>> Location of Certificate Authority file on local filesystem which should be
>> used with the verify_peer context option to authenticate the identity of
>> the remote peer.
>>
>> openssl.capath string
>> If cafile is not specified or if the certificate is not found there, the
>> directory pointed to by capath is searched for a suitable certificate.
>> capath must be a correctly hashed certificate directory.

Which looks exactly like the bundle is preferred (though I fail to see, why?
It'll incur the parsing overhead for certain, where you could pick specific
cert from the hashdir almost in an instant).

> /usr/bin/trust extract --format=openssl-bundle --filter=certificates
> --overwrite --comment /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Thanks, I'll try that.

> â€¦although it looks to me that all certs are available individually in
> /etc/pki/tls/certs so the bundle would be redundant.

Indeed, they do.

-- 
With best regards,
Andrey Repin
Friday, February 28, 2025 10:00:37

Sorry for my terrible english...

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 51S7Kcik1069018
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 51S7Kcik1069018
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=AdcaEk6P
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 089E23858D37
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1740727237;
	bh=oVsED9cAyYLOWr3rRbdxcqJyC5TPSXArICjXEobN/yg=;
	h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=AdcaEk6P9BOBSI4sGDSpINPqpXXeyfRaN3+lQaj8/ekWF/ZcKP+v2HqJJX3Q+GJIB
	/cdW8epha5N4Oox+rjXajD5N7vxTmheviQSMZS6y3Vubp32yllChxfjYjrbXRJO9f0
	1D+oNgAoMlEAJmR2bmHmV1U8adVR7hNQt2THS35I=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 6B3A4385840A
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 6B3A4385840A
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1740727206; cv=none;
	b=Na08QS65uhoY2W9DoMy+3HGnBXDC65iFd587IoqPTBh9BNo5Ji0YTR+MRdnzT14qPQVZ5wZYdVfQYL0k+JTBsp0REic8nuO8ljzMz1moJZpT04Nj3X5zpFm5CRPh78xKF0EJIs+2Vlx6dY7jX7Fck9sy8m3Fjy5RkIBzjIDAd18=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1740727206; c=relaxed/simple;
	bh=rO+EBjBdMhW3ALVArIcv8yhvkCkZlSVeuf0GD9hGzOk=;
	h=DKIM-Signature:Date:From:Message-ID:To:Subject:MIME-Version;
	b=PMomgqoPYjZO3+YVEUw4TNzwKhUTtfSf93Z0AOlg8ZfJRKtsHnfRJRhyv8/5HpP2eg47dutUyjzo+K6cF2j3k0IuafNT8m9Mm34zOijYJMayXR0LGCMtHYPnHU2J/nwpjwBZUJcHZpJG5KK/8Y7/hP71qk+JxVoWkBQvFxJkWXo=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 6B3A4385840A
X-Yandex-Fwd:	1
Date:	Fri, 28 Feb 2025 10:05:38 +0300
X-Mailer:	The Bat! (v9.3.4) Professional
Message-ID:	<437536305.20250228100538@yandex.ru>
To:	ASSI <Stromeko AT nexgo DOT de>, cygwin AT cygwin DOT com
Subject:	Re: update-ca-trust does not create openssl bundle
In-Reply-To:	<87v7sxc1t1.fsf@Gerda.invalid>
References:	<137545358 DOT 20250225100008 AT yandex DOT ru> <87v7sxc1t1 DOT fsf AT Gerda DOT invalid>
MIME-Version:	1.0
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Andrey Repin via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Andrey Repin <anrdaemon AT yandex DOT ru>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 51S7Kcik1069018

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019