QSslSocketPrivate::unixRootCertDirectories provides a list of directories to
scan for individual certificate files.
Only /etc/ssl/certs/ is relevant to FreeBSD, other directories do not exist.
It might be a good idea to add /usr/local/etc/ssl/certs/ there.
And maybe some other directories where either FreeBSD base or FreeBSD ports
install certificate files.
E.g., /usr/share/certs/trusted.
That wouldn't be needed because /etc/ssl/certs/ is supposed to have symbolic
links to all trusted certificates. And it does.
But QSslSocketPrivate::systemCaCertificates sets a filter on the certificate
file names and the filter allows only *.crt and *.pem files while the symbolic
links do not have an extension (they have .N suffixes, e.g., .0, to resolve
potential fingerprint conflicts).
So, the current combination of directory paths and file name filters means that
no individual certificates are loaded by the Qt SSL code.
Things are not broken only because the code also loads certificate bundle files.
QSslSocketPrivate::systemCaCertificates has hardcoded paths
/etc/pki/tls/certs/ca-bundle.crt and /usr/local/share/certs/ca-root-nss.crt.
The former is not used on FreeBSD, the latter is there specifically for FreeBSD.
It works, but I think that it would be better to use /etc/ssl/cacert.pem (which
is typically a symbolic link to ca-root-nss.crt).
Maybe /usr/local/etc/ssl/cert.pem as well.
Those paths seem to be "canonical" while ca-root-nss.crt is a detail of
ca_root_nss port.
In summary.
Qt SSL does not load any individual root certificate files at all.
Qt SSL does load a root certificate bundle file but it could be done through a
better path (or paths).
--
Andriy Gapon
