[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] openssl egg patch for default root certs

From: Thomas Chust
Subject: Re: [Chicken-users] openssl egg patch for default root certs
Date: Sun, 25 Nov 2018 11:49:12 +0100

On Sun, 11 Nov 2018 23:35:08 -0600 Jim Ursetto <address@hidden>

> [...]
> If you can find a better way I welcome it. My only request is that existing 
> eggs (particularly ones that call openssl through http-client) are able to 
> pull in the system default certs without changes to the eggs. It’s mainly 
> that a lot of eggs depend on openssl, whether advisedly or not.
> I know Kooda patched openssl on Chicken 5 to default to a certificate 
> authority file on macosx but it’s not valid for general use (neither the OS 
> nor homebrew uses this location — his patch doesn’t work on my box). And, the 
> default cert directory you use is not valid on RedHat (which stores certs in 
> various places under /etc/pki/tls), only Debian.
> [...]


during the CHICKEN hackathon I tweaked the openssl code a bit, trying
to improve the handling of verification roots. You can set

    (ssl-default-certificate-authorities #t)
    (ssl-default-certificate-authority-directory #t)

which is also the default now, to load verification roots from wherever
OpenSSL thinks fit, or you can set the parameters to #f to disable
verification by default, or you can set them to file / directory paths.

@zbigniew: Check out the trunk version of openssl (r36870), perhaps it
suits your needs :-)

@wasamasa: Perhaps a new release of the egg is in order in the near
future :-)


The greatest victory is that which requires no battle.
-- Sun Tzu, "The Art of War"

reply via email to

[Prev in Thread] Current Thread [Next in Thread]