On Sun, Jul 27, 2014 at 2:16 AM, Florian Zumbiehl <fl...@florz.de> wrote:
> ping? > > > This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch > from > > Reuben Thomas from #3213. > Hmm, what a mess. The "smime" and "ocsp" subcommands use an internal function setup_verify() to get the compiled in paths for CAfile and CApath independently: if you only specify one you still get the compiled in path for the other. In contrast, the "pcks12" subcommand uses the compiled in paths only if you don't specify either option. (The "x509" subcommand has similar code, but It's not clear to me whether the CAs are actually *used* in that code path.) This is the behavior that the suggested patch gives: supplying one option turns off the compiled in value for the other. The others don't used the compiled in values at all, as noted. Is this an area where the current behavior cannot be used safely? No. Indeed, using CAs in circumstances where OpenSSL doesn't may create security issues for existing scripts using the openssl command. *If* using the compiled in paths is correct, then I would think using the setup_verify() function and thus following the behavior of "smime" and "ocsp" would be a better choice, but changing that behavior seems unwise. Philip Guenther
