On 01.05.2015 17:11, Stefan Sperling wrote: > I believe SSL_X509_INFO_load_path() should be inlined into > its only caller.
I'm +1 for this. The "Low-Level CA Certificate Loading" part in ssl_util_ssl.c is / was only used by ssl_init_proxy_certs, so I would be in favor of also moving SSL_X509_INFO_load_file to ssl_engine_init.c (and making it static). > Regarding the removed comment about merging the dir-read loop > with another one: I don't think that's worth it. If we can get rid of code duplication on this occasion, then I think we should do so - it makes future maintenance easier if there is common code for loading CA files from a directory, be that for client authentication (SSLCACertificatePath) or for proxy connections (SSLProxyCACertificatePath). Kaspar
