| Subject: | Proposal: load certs from /etc/ssl/certs instead of the bundled cacert.pem |
Mozilla::CA is convenient because it is available on CPAN and it is portable. And because of this many CPAN distributions rely on it either as the default certificates store or as the default one.
However it is insecure, or at least less secure than the certificate store provided by the operating system. One minimum reason is that it is not kept up-to-date as the rest of the operating system.
I've hacked a module Mozilla::CA::Debian that provides the Mozilla::CA interface but uses instead the certificates from /etc/ssl/certs that is available on Debian systems. This is a proof of concept, and I know it will be at least useful to myself.
See http://prepan.org/module/nY8EjAnEFa5
Would you be interested if I propose a patch that integrates the feature (using certs from /etc/ssl/certs instead of the bundled cacert.pem) in Mozilla::CA itself?
--
Olivier Mengué - http://perlresume.org/DOLMEN
However it is insecure, or at least less secure than the certificate store provided by the operating system. One minimum reason is that it is not kept up-to-date as the rest of the operating system.
I've hacked a module Mozilla::CA::Debian that provides the Mozilla::CA interface but uses instead the certificates from /etc/ssl/certs that is available on Debian systems. This is a proof of concept, and I know it will be at least useful to myself.
See http://prepan.org/module/nY8EjAnEFa5
Would you be interested if I propose a patch that integrates the feature (using certs from /etc/ssl/certs instead of the bundled cacert.pem) in Mozilla::CA itself?
--
Olivier Mengué - http://perlresume.org/DOLMEN