DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 51S7Kcik1069018
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 51S7Kcik1069018
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=AdcaEk6P
X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 089E23858D37
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1740727237;
	bh=oVsED9cAyYLOWr3rRbdxcqJyC5TPSXArICjXEobN/yg=;
	h=Date:To:Subject:In-Reply-To:References:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=AdcaEk6P9BOBSI4sGDSpINPqpXXeyfRaN3+lQaj8/ekWF/ZcKP+v2HqJJX3Q+GJIB
	 /cdW8epha5N4Oox+rjXajD5N7vxTmheviQSMZS6y3Vubp32yllChxfjYjrbXRJO9f0
	 1D+oNgAoMlEAJmR2bmHmV1U8adVR7hNQt2THS35I=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6B3A4385840A
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6B3A4385840A
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1740727206; cv=none;
 b=Na08QS65uhoY2W9DoMy+3HGnBXDC65iFd587IoqPTBh9BNo5Ji0YTR+MRdnzT14qPQVZ5wZYdVfQYL0k+JTBsp0REic8nuO8ljzMz1moJZpT04Nj3X5zpFm5CRPh78xKF0EJIs+2Vlx6dY7jX7Fck9sy8m3Fjy5RkIBzjIDAd18=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1740727206; c=relaxed/simple;
 bh=rO+EBjBdMhW3ALVArIcv8yhvkCkZlSVeuf0GD9hGzOk=;
 h=DKIM-Signature:Date:From:Message-ID:To:Subject:MIME-Version;
 b=PMomgqoPYjZO3+YVEUw4TNzwKhUTtfSf93Z0AOlg8ZfJRKtsHnfRJRhyv8/5HpP2eg47dutUyjzo+K6cF2j3k0IuafNT8m9Mm34zOijYJMayXR0LGCMtHYPnHU2J/nwpjwBZUJcHZpJG5KK/8Y7/hP71qk+JxVoWkBQvFxJkWXo=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6B3A4385840A
X-Yandex-Fwd: 1
Date: Fri, 28 Feb 2025 10:05:38 +0300
X-Mailer: The Bat! (v9.3.4) Professional
Message-ID: <437536305.20250228100538@yandex.ru>
To: ASSI <Stromeko@nexgo.de>, cygwin@cygwin.com
Subject: Re: update-ca-trust does not create openssl bundle
In-Reply-To: <87v7sxc1t1.fsf@Gerda.invalid>
References: <137545358.20250225100008@yandex.ru> <87v7sxc1t1.fsf@Gerda.invalid>
MIME-Version: 1.0
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: Andrey Repin via Cygwin <cygwin@cygwin.com>
Reply-To: cygwin@cygwin.com
Cc: Andrey Repin <anrdaemon@yandex.ru>
Content-Type: text/plain; charset="utf-8"
Errors-To: cygwin-bounces~archive-cygwin=delorie.com@cygwin.com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 51S7Kcik1069018

Greetings, ASSI!

> Andrey Repin via Cygwin writes:
>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt is missing from my
>> system.
>> The `update-ca-trust extract` doesn't even touch it.
>>
>> What happened?

> Fedora dropped the command that creates the file and removed it from
> distribution here:

> https://src.fedoraproject.org/rpms/ca-certificates/c/7dc60cbc6b0b87462acf6c524bfbd85f1550bec4?branch=rawhide

> You can manually create it like this if it's still needed (I would likel
> to know what for):

Not all programs can use hashdir. More so, in many places it was said the
bundle is preferred over the hashdir.
I.e. the PHP openssl module configuration says this:

>> openssl.cafile string
>> Location of Certificate Authority file on local filesystem which should be
>> used with the verify_peer context option to authenticate the identity of
>> the remote peer.
>>
>> openssl.capath string
>> If cafile is not specified or if the certificate is not found there, the
>> directory pointed to by capath is searched for a suitable certificate.
>> capath must be a correctly hashed certificate directory.

Which looks exactly like the bundle is preferred (though I fail to see, why?
It'll incur the parsing overhead for certain, where you could pick specific
cert from the hashdir almost in an instant).

> /usr/bin/trust extract --format=openssl-bundle --filter=certificates
> --overwrite --comment /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Thanks, I'll try that.

> …although it looks to me that all certs are available individually in
> /etc/pki/tls/certs so the bundle would be redundant.

Indeed, they do.


-- 
With best regards,
Andrey Repin
Friday, February 28, 2025 10:00:37

Sorry for my terrible english...

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple