On Mon, Jun 25, 2012 at 5:11 AM, Ken Barber <k...@puppetlabs.com> wrote:
> (responding to puppet-dev) > > >>> I've managed to solve it on Linux by specifying: > >>> https_object.ca_path = '/etc/ssl/certs' > > > > You managed to work around your broken build, I think. > > You mean Debian 6's broken build - Lol ... found this using the system > ruby 1.8 from Debian, latest version :-). > > > We should use the system certificate set, and *ONLY* the system > > certificate set, since that is the only that that will allow our users > > control over what is or is not trusted. > > > > Anything where we adjust the default settings is a terrible mistake: > > we are taking out of the hands of our users the right to manage trust. > > > > (With the obvious exception of our own private CA for internal use. :) > > Sure - good point. > > > On Linux that usually means installing `ca-certificates` or a > > similarly named package. On the mac, with the system OpenSSL, that > > comes from KeyChain. On Windows I don't actually know, but I would > > expect it to integrate with the system trust store. > > > > The most common place I have run into this with is RVM, either using a > > non-standard OpenSSL (eg: RVM package, or MacPorts), in which case the > > solution is to configure your other OpenSSL correctly also. > > Sounds like I'll have to go through the various system Rubies and SSL > variants and found out how broken or weird they are, and find out what > is needed to make them work. > > I think you just want to call X509_STORE_set_default_paths[1], which will load the ca certs from the platform-appropriate trust store. There seems to be a ruby method for it[2] As far as Windows, there's an openssl patch to have it use capi (crypto api) to load the trusted certs[3]. Josh [1] http://fossies.org/dox/brx.src-1.6.0/x509__d2_8c_source.html#l00065 [2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509store.c#L581-L612 [3] http://old.nabble.com/Get-root-certificates-from-System-Store-of-Windows-to27098554.html#a27109848 -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
