Felipe Gasperwrote: >>> On Jun 16, 2022, at 14:42, Craig A. Berry <craig.a.berry@gmail.com> wrote: >>>> So let's please not go with a Linux-only solution and just use >>>> Mozilla::CA as already planned. > > My macOS, FreeBSD, and Cygwin installs all have roots at $OPENSSLDIR/cert.pem. [...] > > The problem with Mozilla::CA is [...] > > Alternatively, ship a very-simple CPAN module that duplicates golang’s root-finding logic. Neil's proposal is to go with option 1 aka IO::Socket::SSL, which already has its own logic. It checks several paths, including the one you mentioned above, and when it fails to find a root store, it falls back to Mozilla::CA. https://metacpan.org/pod/IO::Socket::SSL#Basic-SSL-Client https://metacpan.org/pod/IO::Socket::SSL#IO::Socket::SSL::default_ca([-path|dir|-SSL_ca_file-=-...,-SSL_ca_path-=%3E-...-])%3E What, exactly, would be the problem with this part of IO::Socket::SSL? By the way, I haven't seen HTTP::Tinyish discussed yet. Michiel Beijen pointed this out last time around. This small module seems to solve Neil's option 4 (work with wget, curl, etc) and might perhaps be the simplest solution here. HTTP::Tinyish is basically how cpanm does HTTPS. Among other things, it might side-step the lack of a configure stage and it avoids having to deal with finding a CA root store because it just uses whatever logic wget/curl has. However, it depends on other non-core modules, namely File::Which and IPC::Run3. Additionally, we would need to consider systems that have neither wget nor curl. https://www.nntp.perl.org/group/perl.perl5.porters/2021/12/msg262117.html https://metacpan.org/pod/HTTP::Tinyish -- Arne Johannessen <https://arne.johannessen.de/>Thread Previous | Thread Next