dropping Of cert.pem File
Summary
In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.
Owner
-- For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages. This should link to your home wiki page so we know who you are. -->
- Name: František Krenželok
- Email: fkrenzel@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-09-25
- [Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In order to improve the loading time of OpenSSL a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop in from trying to load /etc/pki/tls/cert.pem by deleting it.
Feedback
Benefit to Fedora
Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL.
Scope
- Proposal owners:
The change is already in the rawhide
- Other developers:
Any package loading the root certificates from /etc/pki/tls/cert.pem
file need to preferably use the defaults of the library or if they must, use the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
file instead.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
Early Testing (Optional)
Do you require 'QA Blueprint' support? Y/N
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)