Viktor Dukhovni <[email protected]> (Do 27 Nov 2014 19:24:46 CET): > > With OpenSSL that list (of distinguished names, not full certificates) > is taken from the list of CAs in CAfile, with the CAs in CApath > used only for verification, but not for "hinting".
Yes, this difference is mentioned in Exim's spec file. > I don't know what GnuTLS does, but I generally recommend a short > or empty CAfile, with verification-only certificates in CApath. > This also yields a lower memory footprint. In other words, > don't use an in-memory bundle file, use a hashed directory. Is OpenSSL capabable of using the CAfile for hinting and using the CApath for verification at the same time? -- Heiko
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
