Correct certificate storage lookup order for FreeBSD

[herrhotzenplotz]

Previously on FreeBSD the path /usr/local/share/certs was found first and caused the main lookup loop (in contextLoadSystemCerts in Unix.hs) to exit. Since this directory only contains one certificate bundle and not single certificates, the loop exited and no certificates were loaded. By altering the order of the search paths, the root certs are recognized correctly on FreeBSD.

This issue appeared while using hookup together with irc-core. It worked perfectly fine on GNU/Linux but when moving it to FreeBSD no connection could be established.

Confirmed to be working on FreeBSD 12.1-RELEASE-p8 amd64 and GNU/Linux Archlinux 5.4.57-lts x86_64.

Please tell me if any issues arise from this.

[redneb]

Hi and thanks for the PR!

I did a quick investigation using FreeBSD 12.1 and you are right, /usr/local/share/certs/ca-root-nss.crt should be higher that /usr/local/share/certs. But I also noticed that FreeBSD creates by default a symlink, /etc/ssl/cert.pem, which points to /usr/local/share/certs/ca-root-nss.crt. So I think that /etc/ssl/cert.pem should be higher than the two aforementioned paths:

• the user might have chosen a different setup by pointing the symlink /etc/ssl/cert.pem to somewhere else (that's what the FreeBSD docs seem to indicate that is the way for the user to do something like that)
• /etc/ssl/cert.pem also exists in other BSDs

Accordingly, I pushed a commit to master that implements the change I describe above. Could you please test it by compiling from git? If you confirm that it works, I will publish it as a new version in hackage.

[herrhotzenplotz]

@redneb Thanks for answering. You're completely correct. The lookup works with your changes. I'd be happy if you push those changes to hackage. With that being said, I'll close this PR once the new version is published.

[redneb]

0.1.0.4 is not available on hackage. Thanks for the help!