On Mon, Oct 18, 2004 at 04:33:18PM +0200, Daniel Stenberg wrote:
> Speaking of this bundle, I can't find it in the OpenSSL source tree.
>
> We had this debate a while ago when it was suggested that we should detect
> and use this one.
>
> I recall reading somewhere that OpenSSL does not provide a ca cert bundle
> on purpose.
>
> Can we figure out where this comes from?

I checked a half dozen or so different Linux distributions' RPMs, and all of
them that include a certificate bundle supply it separately from the OpenSSL
sources. The Red Hat 7.2 version is almost identical to curl's, including
the "automatically extracted from Netscape Communicator 4.72" statement
at the top. I did find at least one distribution that did not include
a certificate bundle with OpenSSL, although it's possible one is available
in a separate package.

So, you're right, you can't depend on having it available on any
arbitrary machine with OpenSSL. What I decided to do for my RPMs is to
compile libcurl to use Red Hat's bundle included one in the OpenSSL
package by default, but to supply curl's version in the
/usr/share/doc/libcurl... directory so those who want it can still select
it manually. That cleanly fixes the packaging problem for me.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved