Mac OS X does ship with a suitable CA bundle, it's just not where
OpenSSL looks for it. You can do:
sudo sh -c 'umask 0; ln -s /usr/share/curl/curl-ca-bundle.crt /System/
Library/OpenSSL/cert.pem'
To create a symbolic link from the location where the standard Mac OS
X OpenSSL library looks to the pre-installed cURL certificate bundle.
The curl bundle has been shipping with Mac OS X for some years now I
have no idea why Apple doesn't include a symbolic link or copy of it
in the right place so OpenSSL can find and use it.
Kyle
On May 17, 2008, at 15:35, Jack Repenning <jackrepenning_at_tigris.org>
wrote:
> Or, as Maxwell Smart used to say, "missed by THAT much!"
>
> As it turns out:
> * Subversion uses OpenSSL to do the "s" in https
> * Mac OS X comes with OpenSSL
> * SSL requires a bunch of "certifying authorities" to validate
> server certificates
> * Mac OS X comes with a bunch of 'em
> * ... but not installed anywhere that OpenSSL can find 'em!
>
> Has this ever been discussed here in dev@ (or users@, for that
> matter)? I couldn't find it.
>
> OS X ships the CA keys buried inside their sweet Keychain Access
> app, which is swell for folks who speak KeychainServices. But
> OpenSSL doesn't (some quibble about portability, perhaps?).
> Lacking the CA keyring, the user gets the famous "(r)eject, accept
> (t)emporarily, accept (p)ermanently" dialog, a minor annoyance to
> the command-line user, a larger one to the GUI user since most of
> us GUI implementers haven't bothered to GUIfy that.
>
> There's a quite straightforward end-user technique available to
> copy the CAs out of Keychain Access and install them into OpenSSL
> (what you do is, you copy them out of KA and drop them into the
> expected directory), but having end-users do that is obviously
> undesirable.
>
> What I'm wondering is, has anyone ever carried this complaint to
> Apple? There's got to be a straightforward way for them to publish
> the CA keyring where OpenSSL can find it (I use that slightly timid
> and querulous tone because I did a bit of digging and learned that
> the OS X CA keyring isn't ... *quite* ... handled like other
> keyrings, sigh).
>
>
> -==-
> Jack Repenning
> jackrepenning_at_tigris.org
> Project Owner
> SCPlugin
> http://scplugin.tigris.org
> "Subversion for the rest of OS X"
Received on 2008-05-18 03:22:21 CEST