OpenSSL / gnutls CA certificate bundles

[Firefishy]

At install time of OpenSSL and/or gnutls a CA certificate bundle is created which is seeded from the Certificate Authority (CA) certificates in Keychain.

Problem 1:

Currently only /System/Library/Keychains/SystemRootCertificates.keychain is currently used. SystemRootCertificates.keychain only supports Apple supplied CAs. Organisational (or user) installed CA certificates are normally added to /Library/Keychains/System.keychain.

Without the additional CA certificates users can unexpectedly receive untrusted certificate errors in homebrew installed apps, when the same url/site works OK in browsers.

My PRs to fix:
OpenSSL: Homebrew/homebrew-core#71191
gnutls: Homebrew/homebrew-core#71282

Problem 2:

The homebrew CA certificate bundlers are only ever updated when updating OpenSSL or gnutls packages.

https://github.com/raggi/openssl-osx-ca is a project which adds a launchagent which regularly updates the homebrew CA certificate bundles.

The OpenSSL and/or gnutls should likely also have an automated mechanism for regularly updating certificate bundles.

Problem 3:

OpenSSL post-install output:

A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
 #{openssldir}/certs
 and run
  #{opt_bin}/c_rehash

This is factually incorrect, the cert.pem CA bundle is not updated by c_rehash

[Firefishy]

Problem 1 is by design: Homebrew/homebrew-core#1072 , but there is a way to workaround the issue: Homebrew/homebrew-core#71191 (comment)