On Tue, Nov 09, 2010 at 01:45:15PM +0000, Bruce Stephens wrote: > Michael Str??der <mich...@stroeder.com> writes: > > > Bruce Stephens wrote: > > [...] > > >> Ah, my fault. Obvious in retrospect: Debian's openssl finds the root > >> cert because it's in the ca-certificates package! > > > > Did you use -CAfile as in my original posting when testing? > > I did. > > > Doesn't -CAfile set exclusively all trusted CA certs? > > Apparently not, the normal openssl.cnf is read and (on Debian, if > ca-certificates is installed) that gives a set of extra CA certificates.
Correct. This *augments* the default certificate list, found in the 'certs/' sub-directory and 'cert.pem' file of the directory reported by "openssl version -d". >From crypto/cryptlib.h: #define X509_CERT_AREA OPENSSLDIR #define X509_CERT_DIR OPENSSLDIR "/certs" #define X509_CERT_FILE OPENSSLDIR "/cert.pem" The OpenSSL toolkit does not include any default roots. These are configured by the O/S release engineering teams. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org