dropping Of cert.pem File
Summary
In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.
Owner
- Name: František Krenželok
- Email: fkrenzel@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-09-25
- [Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In order to improve the loading time of OpenSSL a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop in from trying to load /etc/pki/tls/cert.pem by deleting it.
Feedback
Benefit to Fedora
Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL.
Scope
- Proposal owners:
The change is already in the rawhide
- Other developers:
Any package loading the root certificates from /etc/pki/tls/cert.pem
file need to preferably use the defaults of the library or if they must, use the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
file instead.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
Early Testing (Optional)
Do you require 'QA Blueprint' support? Y/N
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: We will postpone the change if majority or critical package owners will be unable to make appropriate changes.
- Contingency deadline: before end of beta freeze(2025-02-18).
- Blocks release? The feature doesn't block release.
Documentation
The change is documented as a part of ca-certificates changelog.
Release Notes
The /etc/pki/tls/cert.pem file is deprecated use .