Where to find certificates

[lassik]

https://github.com/shirok/Gauche/issues/723

Curl on MacOS and iOS:

If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not set, then curl will use the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

[lassik]

(private-key "filename" der|eng|pem)
(certificate "filename" der|eng|pem)
(certificate-directory "pathname" pem)
(certificate+private-key-file "filename" pem/pkcs-12)

[lassik]

https://github.com/shirok/Gauche/blob/master/ext/tls/load_system_cert.c

Where Gauche looks for them:

"/etc/ssl/certs/ca-certificates.crt",                  /* ubuntu */
"/usr/share/pki/ca-trust-source/ca-bundle.trust.crt",  /* fedora */
"/etc/pki/tls/certs/ca-budle.crt",                     /* fedora (compat) */
"/usr/local/etc/openssl/cert.pem",                     /* osx homebrew openssl */

[lassik]

Should the SRFI let the user give hints for filenames where to find certificates, in case they aren't found in the default search path?

[johnwcowan]

On Linux, there are gnutls applications like wget and there are OpenSSL applications like curl, and they look in different places, alas.

[lassik]

Do GnuTLS and OpenSSL use compatible certificate file formats? If they do, we could list the paths for both.

[lassik]

I wonder how we can get at the certificates stored in the MacOS Keychain. And is there a similar facility in Windows?