qtbase ssl discovery of root certificates

[Andriy Gapon]

QSslSocketPrivate::unixRootCertDirectories provides a list of directories to 
scan for individual certificate files.
Only /etc/ssl/certs/ is relevant to FreeBSD, other directories do not exist.

It might be a good idea to add /usr/local/etc/ssl/certs/ there.
And maybe some other directories where either FreeBSD base or FreeBSD ports 
install certificate files.
E.g., /usr/share/certs/trusted.

That wouldn't be needed because /etc/ssl/certs/ is supposed to have symbolic 
links to all trusted certificates.  And it does.
But QSslSocketPrivate::systemCaCertificates sets a filter on the certificate 
file names and the filter allows only *.crt and *.pem files while the symbolic 
links do not have an extension (they have .N suffixes, e.g., .0, to resolve 
potential fingerprint conflicts).

So, the current combination of directory paths and file name filters means that 
no individual certificates are loaded by the Qt SSL code.

Things are not broken only because the code also loads certificate bundle files.
QSslSocketPrivate::systemCaCertificates has hardcoded paths 
/etc/pki/tls/certs/ca-bundle.crt and /usr/local/share/certs/ca-root-nss.crt.
The former is not used on FreeBSD, the latter is there specifically for FreeBSD.
It works, but I think that it would be better to use /etc/ssl/cacert.pem (which 
is typically a symbolic link to ca-root-nss.crt).
Maybe /usr/local/etc/ssl/cert.pem as well.
Those paths seem to be "canonical" while ca-root-nss.crt is a detail of 
ca_root_nss port.

In summary.
Qt SSL does not load any individual root certificate files at all.
Qt SSL does load a root certificate bundle file but it could be done through a 
better path (or paths).

-- 
Andriy Gapon