DJ Lucas wrote:
Ok. Previously, I had thought that OpenSSL could be configured to use CAfile by default. Unfortunately, that is not the case. I would think that most people using openssl commands would be able to figure out that -CAfile is required (or likely already know it). Programmers who use SSL know this already and most account for it. Unfortunately, this differs from previous behavior when OpenSSL shipped their own CAs, and CApath had (well, still has) a default.Agathoklis D. Hatzimanikas wrote:Hi Dj and thanks for doing this,
I wrote a little script to populate CApath from the root certificates file. It's attached if anybody thinks that it would be useful, or has old programs that don't know about CAfile. I was considering suggesting that this go into the book so that OpenSSL (and tools) gets its old behavior back, but I don't think that it is necessary considering how few noticed that OpenSSL's verify was broken without further configuration.
Script is attached. -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean.
mkpems.sh
Description: application/shellscript
-- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
