Simplified a bit and removed unnecessary c_rehash.

raggi / openssl-osx-ca

Simple periodic task to sync OSX Keychain certs to Homebrew installed OpenSSL & LibreSSL

Other

224 stars 24 forks source link

Simplified a bit and removed unnecessary c_rehash. #4

Closed wolfeidau closed 11 years ago

wolfeidau commented 11 years ago

Tested by rebuilding ruby-2.0.0-p0, installing rails, updating bundler to 1.3.0 and created a rails app to try it out.

All worked fine dtrace showed me that whenever a HTTPS url is accessed /usr/local/etc/openssl/cert.pem is opened.

:thumbsup:

raggi commented 11 years ago

The tmpdir prevents annoying race conditions where certs will be unavailable for longer. As for not verifying the chains, you can do that, but this will prevent unexpected breakage, as you'd get an error from the cron before some application.

wolfeidau commented 11 years ago

Ah ok didn't know about the race condition.

I read the sources to the perl script c_rehash and I believe it only reads the first certificate in certs.pem, validates it then creates a link to that file, this is used in the /usr/local/etc/openssl/certs/ folder typically.

Take a look at the sources and see if I am wrong.

Cheers.

raggi commented 11 years ago

You're probably right, in which case, I should really write a separate validator.