OpenSSL does not have a root-certificate program. The official position (from http://www.openssl.org/support/faq.html#USER16) is that the job of OpenSSL is to create the code to make trust possible, not dictate who to trust.
In fact, that same FAQ entry has a pointer to an article on extracting the certificates from Mozilla's certdata.txt. (I don't know if that file even exists in the current source, though; if it doesn't, perhaps it might be nice to send them a message on how to extract from the .db files?) -Kyle H On Sun, Aug 17, 2008 at 1:18 PM, Daniel Stenberg <[EMAIL PROTECTED]> wrote: > On Sat, 16 Aug 2008, Nelson B Bolyard wrote: > >>> curl is completely independent from browsers, and when installed in systems >>> it usually uses the system-wide CA cert bundle. Of course it has command >>> line options to allow the user to specify what CA bundle to use (or indeed >>> other certs etc). >> >> Daniel, thank you for that observation. It tells me that cURL is designed >> around the OpenSSL idea that the set of trusted certs is a system-wide set, >> rather than a per-user set. > > Well, I don't think this is a curl or any other app thing. Most people install > an app and they get some default install. Even NSS users such as Firefox bring > a CA cert bundle that they think the user should use. For a typical user of > curl or Firefox, they have no idea who provided the ca cert bundle or if it is > user-specific or system-specific. Not to mention that many systems these days > are private machines so system == user. > > This said, curl is an app that uses libcurl and libcurl can be built to use > OpenSSL, GnuTLS or NSS and we make our best to not make the choice of SSL/TLS > library affect how the app is used... > >> Previously, someone criticized NSS, saying that it was designed for use only >> on single-user systems, a criticism that I dispute. NSS is very much >> oriented toward each user have his own set of trusted flags. In contrast to >> NSS, the idea that there is only one system-wide set of trusted certs, and >> that each user does not have his own set, is a very single-user-system >> approach. > > Now you're putting words in my mouth. At no point did I say that any of the > other libs prevents or even makes it hard to use user-speciecied certs. I > don't think they do. But they do make it easy to use PEM certificates, and > Linux distros these days ship CA certs in PEM format. Lots of apps use that > system-wide ca cert bundle (by default), but NSS built apps do not. The > NSS-apps either don't have any ca cert bundle at all or they find out which > one Firefox uses and get that... (or in Fedora's case they run a patch for NSS > that makes it capable of reading the system-wide PEM file) > >> Perhaps it is most appropriate for cURL to follow the OpenSSL system-wide >> cert store model when using OpenSSL, and to follow the NSS cert store for >> each user model when using NSS. > > Eeep. OpenSSL does not have a "system-wide cert store model" any more than NSS > does afaik. Most Linux distros do however provide a system-wide ca cert bundle > for all apps that can read PEM. (This does not force any user to use that > bundle.) > > -- > > / daniel.haxx.se > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
