Dan Kegel wrote:
> 1. What parts of the openssl library and apps use the directories
> 'certs' and 'private', or otherwise have hardcoded paths to
> the installation directories? It's hard to tell from the source.
>
> 2. I'm bundling openssl into another application which is
> distributed as a binary tarball which can be untarred
> anywhere. I assume there are hardcoded paths in the openssl
> binaries or libraries to help locate directories like
> 'certs' and 'private'. Is this the case? If so, I'll need
> to work around it somehow so openssl will be able to find those
> directories. This seems like a possible frequently asked question,
> has it been answered somewhere before?
I did some spelunking in the C source and objects. After running
for a in `find . -name '*.o' -print`; do
strings < $a > $a.str
done
grep '/private' {*,*/*}/*.str
and learned that crypto/x509/x509_def.c is where those
paths are hardcoded, and where the environment variable SSL_CERT_DIR
is referenced (used in overriding the default path for 'certs').
This gets used e.g. in apps/{crl,smime,verify}.c
when they call X509_LOOKUP_load_* functions, I think.
So 'openssl crl', 'openssl smime', and 'openssl verify' probably
refer to the 'certs' directory.
On the other hand, the only reference to "private" in the C code is via
X509_get_default_private_dir(), and that function isn't called
by anything written in C in the openssl package, as far as I can tell.
Is that correct?
As for scripts, apps/CA.pl refers to both "certs" and "private" literally,
and ignores the SSL_CERT_DIR environment variable, but also runs "openssl ca",
so it can get badly out of whack if you use that environment variable.
(Looks like a fragile little utility.)
Does a server that does not verify client certs ever access either
of those directories?
- Dan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
