Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz ralph-openssl-...@ralphholz.de wrote: -CAfile fileA file of trusted certificates. The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root CA is always looked up in the trusted certificate list: if the certificate to verify is a root certificate then an exact match must be found in the trusted list. This has led me to believe -CAfile would cause openssl to ignore a default path to certs. I am surprised CAPath is still evaluated if you indicate a CAFile. However, as strace shows: I've attached a diff against HEAD for verify.pod. Is it any good? verify.pod-HEAD.diff Description: Binary data
Re: [openssl-users] Possible bug in verifying a certificate if default root store is configured
On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea erwann.aba...@keynectis.com wrote: There's the same behaviour with -CAfile. If -CAfile isn't specified, then the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). This is true for verify, ocsp, smime, and cms. Oh, right. New diff attached. verify.pod-HEAD.diff Description: Binary data