On May 16, 2008, at 4:47 PM, Mark Phippard wrote:
>> OS X ships the CA keys buried inside their sweet Keychain Access
>> app, which
>> is swell for folks who speak KeychainServices. But OpenSSL doesn't
>> (some
>> quibble about portability, perhaps?). Lacking the CA keyring, the
>> user gets
>> the famous "(r)eject, accept (t)emporarily, accept (p)ermanently"
>> dialog, a
>> minor annoyance to the command-line user, a larger one to the GUI
>> user since
>> most of us GUI implementers haven't bothered to GUIfy that.
>
> I do not think the last statement is true. It is pretty trivial to
> implement the callback for this. All of the GUI's I use support it.
My point was not so much that implementing the GUI is hard, but rather
that it shouldn't be happening, for perfectly valid certs attested by
perfectly valid CAs, and therefore the proper fix would be to install
the system CA certs into somewhere that OpenSSL can find them. But
that's "hard" because the only technique I knew at the time I wrote
that involved extracting them from the Keychain, which introduces the
new problem of keeping them current as they expire and are refreshed.
> On May 17, 2008, at 6:21 PM, Kyle McKay wrote:
>
>> Mac OS X does ship with a suitable CA bundle, it's just not where
>> OpenSSL looks for it. You can do:
>>
>> sudo sh -c 'umask 0; ln -s /usr/share/curl/curl-ca-bundle.crt /
>> System/Library/OpenSSL/cert.pem'
>>
>> To create a symbolic link from the location where the standard Mac
>> OS X OpenSSL library looks to the pre-installed cURL certificate
>> bundle.
That's definitely better than my "manual export and install"
technique, thanks!
-==-
Jack Repenning
jackrepenning_at_tigris.org
Project Owner
SCPlugin
http://scplugin.tigris.org
"Subversion for the rest of OS X"
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-19 20:56:58 CEST