From e7417754da0fe7f7ebbadb4a6c757689b0afccb1 Mon Sep 17 00:00:00 2001
From: Michael Osipov <michaelo@FreeBSD.org>
Date: Fri, 5 Dec 2025 17:15:43 +0100
Subject: [PATCH] Update certificate dirs and file names on FreeBSD

FreeBSD contains a canonical certstore managed by certctl(8) since 12.2 located
in the base system (/etc/ssl), search there first. Alternatively, a user can
populate a custom store in distbase (/usr/local/etc/ssl) with certctl(8) which
shall be queried if the former does not exist. At last, there is a store for
OpenSSL from the ports (/usr/local/openssl) outside of certctl(8)'s reach.
Within these there can be also a bundle in parallel to a hashed directory.

This fixes #20 and fixes #37
---
 src/lib.rs | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/lib.rs b/src/lib.rs
index 138a6c9..7d8bbec 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -140,10 +140,13 @@ const CERTIFICATE_DIRS: &[&str] = &[
     "/etc/pki/tls/certs", // Fedora, RHEL
 ];
 
+// see manpage of certctl(8): https://man.freebsd.org/cgi/man.cgi?query=certctl&sektion=8
+// see security/openssl* ports
 #[cfg(target_os = "freebsd")]
 const CERTIFICATE_DIRS: &[&str] = &[
-    "/etc/ssl/certs",         // FreeBSD 12.2+,
-    "/usr/local/share/certs", // FreeBSD
+    "/etc/ssl/certs",
+    "/usr/local/etc/ssl/certs",
+    "/usr/local/openssl/certs",
 ];
 
 #[cfg(any(target_os = "illumos", target_os = "solaris"))]
@@ -177,7 +180,12 @@ const CERTIFICATE_FILE_NAMES: &[&str] = &[
 ];
 
 #[cfg(target_os = "freebsd")]
-const CERTIFICATE_FILE_NAMES: &[&str] = &["/usr/local/etc/ssl/cert.pem"];
+const CERTIFICATE_FILE_NAMES: &[&str] = &[
+    "/etc/ssl/cert.pem",
+    "/usr/local/etc/ssl/cert.pem",
+    "/usr/local/openssl/cert.pem",
+    "/usr/local/share/certs/ca-root-nss.crt",
+];
 
 #[cfg(target_os = "dragonfly")]
 const CERTIFICATE_FILE_NAMES: &[&str] = &["/usr/local/share/certs/ca-root-nss.crt"];