On Tue, Aug 10, 2010 at 06:13:42PM +0100, Darren J Moffat wrote: > On 10/08/2010 17:40, [email protected] wrote: > >Does openssl provide any interface that would allow me to get the > >default cacerts directory? The information is in the config file, but > >I'd hate to go looking through that by hand. If it's possible to get > >this information dynamically, we might be able to get the default right > >on multiple platforms. > > I believe you can do this using <openssl/conf.h> API such as: > > NCONF_load(conf,configfile,&errorline) > > NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA) > > But then you have the same problem finding the location of the > config file! The openssl(1) 'ca' subcommand uses OPENSSL_CONF and > then a hardcoded (compile time) value which on Solaris is > /etc/openssl/openssl.cnf > > I'd also say that strictly speaking that section on openssl.cnf > isn't for applications but for the 'openssl ca' command and it > shouldn't be used by applications.
Ok, after reading your explanation, I agree that asking OpenSSL doesn't sound ideal. I'm wondering if it would be better to configure the CA path as an image-property. This means that we pick a default initially, but that the user/administrator could change it by using the 'pkg set-property' command. Does this seem useful, or would this open us up to more security problems instead? Thanks, -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
