Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box

On Fri, Dec 10, 2021 at 10:45 AM Tomasz Konojacki <me@xenu.pl> wrote:
>
> On Fri, 10 Dec 2021 10:37:19 +0000
> Nicholas Clark <nick@ccl4.org> wrote:

> > other question was
> >
> > *) for bootstrapping how many (well, few) certificates do we need to ship?

Is it any easier to ship a certificate file with one certificate
rather than 100?  I'm no expert but I believe root certs typically
have many-year expiration lifecycles, much longer than the specific
domain certs created from them, so there could be advantages to using
a standard bundle of root certs even for bootstrapping purposes.
Specifically, if we ship Perl with one and only one cert for cpan.org
and it happens to expire two weeks after a Perl release ships, how
does that one cert get updated before expiration?  Root certs do
eventually expire and revocations are always possible, but
unpleasantness that is rare is preferable to unpleasantness that is
more frequent.

Also, if we include a cert file that only has one certificate in it
because that's all we need for bootstrapping CPAN.pm, doesn't that
potentially break other uses of the same toolchain
(Net::SSLeay/IO::Socket::SSL), such as folks scraping random parts of
the web or whatever?  Or we have to use a differently-named cert file
for bootstrapping and make the tools find it.

> >    and how often do these change?

Looks like every month or two here:

<https://curl.se/docs/caextract.html>

although that may just be how often curl keeps up and not how often
they actually change.

> Mozilla::CA is the module that provides SSL certificates. Unfortunately
> it's almost always outdated so ideally we should get co-maint on it and
> automate its updates.

It certainly looks automatable as it already has a script to produce a
new release when the cacert.pem file changes.  How does the end user
get the updated version, though?  Would CPAN.pm have to always update
Mozilla::CA even if it's not in the dependency chain of whatever is
being installed?

• Pre-RFC: support https out-of-the-box by Neil Bowers
• Re: Pre-RFC: support https out-of-the-box by Wesley Schwengle via perl5-porters
• Re: Pre-RFC: support https out-of-the-box by Yuki Kimoto
• Re: Pre-RFC: support https out-of-the-box by Tomasz Konojacki
• Re: Pre-RFC: support https out-of-the-box by Paul "LeoNerd" Evans
• Re: Pre-RFC: support https out-of-the-box by Sergey Aleynikov
• Re: Pre-RFC: support https out-of-the-box by Oodler 577 via perl5-porters
• Re: Pre-RFC: support https out-of-the-box by Elvin Aslanov
• Re: Pre-RFC: support https out-of-the-box by Ovid via perl5-porters
• Re: Pre-RFC: support https out-of-the-box by Dan Book
• Re: Pre-RFC: support https out-of-the-box by Martijn Lievaart
• Re: Pre-RFC: support https out-of-the-box by Neil Bowers
• Re: Pre-RFC: support https out-of-the-box by Oodler 577 via perl5-porters
• Re: Pre-RFC: support https out-of-the-box by gregor herrmann
• Re: Pre-RFC: support https out-of-the-box by Elvin Aslanov
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Elvin Aslanov
• Re: Pre-RFC: support https out-of-the-box by Alexander Hartmaier
• Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• Re: Pre-RFC: support https out-of-the-box by Darren Duncan
• Re: Pre-RFC: support https out-of-the-box by Alberto Simões
• Re: Pre-RFC: support https out-of-the-box by Martijn Lievaart
• Re: Pre-RFC: support https out-of-the-box by Oodler 577 via perl5-porters
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Alexander Hartmaier
• Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Arne Johannessen
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: Pre-RFC: support https out-of-the-box by Yuki Kimoto
• Re: Pre-RFC: support https out-of-the-box by Ricardo Signes
• Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• mbedTLS WAS Re: Pre-RFC: support https out-of-the-box by Felipe Gasper
• Re: mbedTLS WAS Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Darren Duncan
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Salvador Fandiño
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Salvador Fandiño
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Salvador Fandiño
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Tomasz Konojacki
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Martijn Lievaart
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Oodler 577 via perl5-porters
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Yuki Kimoto
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Felipe Gasper
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Oodler 577 via perl5-porters
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Paul "LeoNerd" Evans
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Yuki Kimoto
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Nicholas Clark
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Tomasz Konojacki
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Elvin Aslanov
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Tomasz Konojacki
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Tomasz Konojacki
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Andrew Hewus Fresh
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Salvador Fandiño
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Salvador Fandiño
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Nicholas Clark
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Martijn Lievaart
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Oodler 577 via perl5-porters
• Re: OpenSSL alternative support WAS Re: Pre-RFC: supporthttpsout-of-the-box by Martijn Lievaart
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Tom Molesworth via perl5-porters
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Nicholas Clark
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Felipe Gasper
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Emmanuel Seyman
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Craig A. Berry
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Andrew Hewus Fresh
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by James E Keenan
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Paul "LeoNerd" Evans
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Michiel Beijen
• Re: OpenSSL alternative support WAS Re: Pre-RFC: support httpsout-of-the-box by Michiel Beijen
• Re: Pre-RFC: support https out-of-the-box by Yuki Kimoto
• Re: Pre-RFC: support https out-of-the-box by Craig A. Berry
• Re: Pre-RFC: support https out-of-the-box by Yuki Kimoto