From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Enge Subject: CA certificates Date: Tue, 10 Feb 2015 21:14:52 +0100 Message-ID: <20150210201452.GA15529@debian> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58239) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLHD2-000665-1l for guix-devel@gnu.org; Tue, 10 Feb 2015 15:15:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YLHCy-00089I-SS for guix-devel@gnu.org; Tue, 10 Feb 2015 15:14:59 -0500 Received: from mout.kundenserver.de ([212.227.17.24]:51492) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YLHCy-00088t-JE for guix-devel@gnu.org; Tue, 10 Feb 2015 15:14:56 -0500 Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org The attached patch series 1) adds a (private) python script to extract single certificates in .pem format from a big textfile in mozilla source format; 2) adds the package nss-certs, which contains the certificates thus extracted in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl; 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl. So if you do a guix package -i openssl nss-certs youtube-dl and add SSL_CERT_DIR as stipulated by the text output after the installation, things work out of the box. The search path definition means that we could have alternative root certificate packages (potentially one per certification authority) and that the user could install the ones he trusts. The patches currently are in a branch wip-certs. Suggestions are welcome. Andreas