Currently the module tool will use the default set of CA certs when making an SSL connection to the forge. However, this is very fragile, because it requires that:
- openssl `set_default_paths` is implemented for that platform (it's not for windows)
- the cacerts bundle is present and updated (it's not for windows and some versions of solaris)
- the forge SSL cert is issued by a well known CA (it may not be, especially when using an internal/private forge)
This has lead to a number of issues like:
We need to modify the module tool so that it initialize the SSL context with a set of trusted CAs. The most secure thing is to specify them in code. Specifying an external file is a possibility, but you have to be careful of file system permissions.