Skip Menu |

This queue is for tickets about the Mozilla-CA CPAN distribution.

Report information
The Basics
Id: 113147
Status: rejected
Priority: 0/
Queue: Mozilla-CA

Owner: Nobody in particular
Requestors: dolmen [...]

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)

Subject: Proposal: load certs from /etc/ssl/certs instead of the bundled cacert.pem
Mozilla::CA is convenient because it is available on CPAN and it is portable. And because of this many CPAN distributions rely on it either as the default certificates store or as the default one.
However it is insecure, or at least less secure than the certificate store provided by the operating system. One minimum reason is that it is not kept up-to-date as the rest of the operating system.

I've hacked a module Mozilla::CA::Debian that provides the Mozilla::CA interface but uses instead the certificates from /etc/ssl/certs that is available on Debian systems. This is a proof of concept, and I know it will be at least useful to myself.

Would you be interested if I propose a patch that integrates the feature (using certs from /etc/ssl/certs instead of the bundled cacert.pem) in Mozilla::CA itself?

Olivier Mengué -
After discussion on #toolchain, I'm abandonning this proposal.
Mozilla::CA must stay as is, providing only cacert.pem.

Olivier Mengué -
Subject: Re: [ #113147] Proposal: load certs from /etc/ssl/certs instead of the bundled cacert.pem
Date: Fri, 18 Mar 2016 11:54:56 -0700
To: bug-Mozilla-CA [...]
From: Ask Bjørn Hansen <ask [...]>
Download (untitled) / with headers
text/plain 176b
As you realized too this is a good idea, but no reason to mix it up in Mozilla::CA. When you have a distribution we can reference it in the docs here. --

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to