Bug 274016

While discussing Bug 269473 me and others discovered that it is an abuse of /usr/local/etc/ssl/certs and likely /usr/local/etc/ssl/blacklisted.

certctl(8) defines the following input directories:
>      TRUSTPATH         List of paths to search for trusted certificates.
>                        Default: <DESTDIR>/usr/share/certs/trusted
>                        <DESTDIR>/usr/local/share/certs
>                        <DESTDIR>/usr/local/etc/ssl/certs
> 
>      BLACKLISTPATH     List of paths to search for blacklisted certificates.
>                        Default: <DESTDIR>/usr/share/certs/blacklisted
>                        <DESTDIR>/usr/local/etc/ssl/blacklisted

TRUSTPATH: <DESTDIR>/usr/local/etc/ssl/certs
When any OpenSSL derivate is installed from ports, is expects that its rehash algorithm puts hashed links to /usr/local/etc/ssl/certs. This is not supposed to be an input directory to another hashing process, but solely output to ports hashing and input for any ports OpenSSL derivate. An implementation detail so to speak. The actual subject hashing is an implementation detail and not publically documented unless you read the source code.
In that spirit, this dir should be deprecated and removed w/o replacement since we have <DESTDIR>/usr/local/share/certs for custom certs beyond base.

BLACKLISTPATH: <DESTDIR>/usr/local/etc/ssl/blacklisted. This is logically identical to the above. /usr/local/etc/ssl serves as OPENSSLDIR. The actual, logical path should be <DESTDIR>/usr/local/share/certs/blacklisted. Identical approach, introduce new one, deprecate and remove old one.

I am certain that I have discussed this to some degree with Kyle Evans (kevans@), but he has left the topic, unfortunately.