1 files changed, 34 insertions, 20 deletions

diff --git a/docs/README.sslcerts b/docs/README.sslcerts
index 4ad82a90..39c3dcda 100644
--- a/docs/README.sslcerts
+++ b/docs/README.sslcerts
@@ -1,11 +1,11 @@
-	Lynx SSL support for certificates - README.sslcerts file
+        Lynx SSL support for certificates - README.sslcerts file
 
 BACKGROUND:
 
 The original README.ssl document for lynx stated:
 
-	Note that the server... may not have a valid certificate. Lynx will not
-	complain, as it does not yet support certificates...
+        Note that the server... may not have a valid certificate. Lynx will not
+        complain, as it does not yet support certificates...
 
 Such lack of support is no longer the case.  Lynx now features excellent
 certificate management through the openssl project.  There is almost no
@@ -29,7 +29,7 @@ self-signed certificate from a known server source and have it be trusted by
 client programs.
 
 Briefly, the procedure will involve confirming the default system location for
-certificates, possibly setting values for SSL_CERT_DIR and SSL_CERT_FILE in
+certificates, setting values for SSL_CERT_DIR and SSL_CERT_FILE in
 the environment, and converting and hashing the certificates using openssl
 utilities to enable recognition.
 
@@ -51,8 +51,8 @@ The ability to turn off reporting of this error to the user was added to
 lynx2.8.5dev16 as the FORCE_SSL_PROMPT setting in lynx.cfg as noted in the
 CHANGELOG:
 
-	This lets the user decide whether to ignore prompting for questionable
-	aspects of an SSL connection.
+        This lets the user decide whether to ignore prompting for questionable
+        aspects of an SSL connection.
 
 While this is a convenient setting to employ when using lynx to script
 https -dumps, it by definition ignores the issue of certificate validity
@@ -114,13 +114,24 @@ Note also that there is no CA cert bundle distributed with OpenSSL. The
 OpenSSL team specifically decided NOT to do that. Getting a set of trusted
 certificates is left up to the installer.
 
-It is a fairly trivial procedure to pull the bundle of trusted root certs out
-of a recent version of Internet Explorer. The MirOS BSD project also provides
-them. The procedure to convert and install them is detailed later in this
-document, and if you simply need to have commercially provided certificates
-trusted by lynx, you can skip down a few lines to the INSTALLING OR UPDATING
+It is no longer a fairly trivial procedure to pull the bundle of trusted root certs out
+of a recent version of Internet Explorer. Multiple certificates are no longer 
+exportable as a DER formatted file; extraction of a single certificate is the only
+export for DER, and DER is what converts to PEM.
+
+Users with access to Apple OS X can export all certificates from Keychain Access System Roots as
+a .pem file. Place this in SSL_CERT_DIR and hash it and you're done.
+
+The MirOS BSD project also provides them. The procedure to convert and install them 
+is detailed later in this document, and if you simply need to have commercially provided 
+certificates trusted by lynx, you can skip down a few lines to the INSTALLING OR UPDATING
 THE CA BUNDLE section.
 
+Extracted Mozilla cert bundles are available for download from the curl project,
+http://curl.haxx.se/docs/caextract.html along with a script to extract from Mozilla
+source.
+
+
 INSTALLING A SELF-SIGNED CERTIFICATE:
 
 When you would like to trust a self-signed (non-commercial) certificate you will
@@ -153,7 +164,7 @@ INSTALLING OR UPDATING THE CA BUNDLE:
 Now would be a good time to check to see if you have the bundle of CA certs
 /usr/local/ssl/cert.pem, or to update them.
 
-CA bundles are available in various places, such as the MirBSD distribution,
+CA bundles are available in various places, such as the MirOS BSD distribution,
 for those who want to take that route, or you can extract the current bundle
 from a current version of Internet Explorer (export them all from IE and
 transfer it onto your system).
@@ -166,9 +177,10 @@ It includes the cacert.org certificate. Download the latest revision; read the
 file to see how to get the certs out.
 
 No hashing is necessary with this set of certs; it is already done; ignore
-the c_rehash usage below for this bundle.
+the c_rehash usage below for this bundle. Simply run `sh ssl.certs.shar` 
+in SSL_CERT_DIR.
 
-From IE certs extract as a PKCS7 file and need to be converted with something
+From IE 5.x certs extract as a PKCS7 file and need to be converted with something
 like:
 
 openssl pkcs7 -inform DER -in bundle.crt -outform PEM -out cert.pem \
@@ -208,10 +220,10 @@ All pem encoded certs in /usr/local/ssl/certs will now be recognized.
 
 SETTING AND EXPORTING ENVIRONMENT VARIABLES:
 
-If lynx is still not recognizing certs, environment variables may need
+If lynx is still not recognizing certs, environment variables need
 to be set; if on a sh type shell, the variables also need to be exported.
 
-The environment variables SSL_CERT_DIR and SSL_CERT_FILE only need to be set
+The environment variables SSL_CERT_DIR and SSL_CERT_FILE need to be set
 if a non-default location is used for certificates, or if certs just can't be
 found by lynx. They may be set as follows in /etc/profile, or a shell
 initialization .profile or .*shrc, if we run a non csh type shell, according
@@ -226,14 +238,15 @@ On csh type shells, you can use:
 setenv SSL_CERT_DIR "/usr/local/ssl/certs"
 setenv SSL_CERT_FILE "/usr/local/ssl/cert.pem"
 
-On many systems setting and exporting them makes all the difference. Apparently
-this is not an issue on other systems, but this might help someone
-somewhere.
-
 Note that the environment variable SSL_CERT_FILE applies to the cert-bundle
 if used outside of the default location (/usr/local/ssl/cert.pem) compiled
 into OpenSSL. There are issues with SSL_CERT_FILE in 0.9.6x versions of openssl.
 
+The configuration file lynx.cfg allows a system SSL_CERT_FILE variable to be set
+which can simplify matters. 
+
+SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt
+
 Make sure you have FORCE_SSL_PROMPT set to PROMPT in lynx.cfg like so:
 
 FORCE_SSL_PROMPT:PROMPT
@@ -246,6 +259,7 @@ SSL error:self signed certificate-Continue? (y)
 A quick check confirms that these procedures have the same effect with ssl
 errors in the pine program.
 
+2003 updated 2009
 Stefan Caunter <stefan.caunter@mohawkcollege.ca>
 Mohawk College Department of Computer Science
 Hamilton Ontario Canada