On 22/09/14 14:57, Viktor Dukhovni wrote: > On Fri, Sep 19, 2014 at 04:11:31PM +0100, Jeremy Harris wrote: > >> Mind, I think I see an issue in the openssl implementation; >> does anyone actually use it? I *think* the only advertised >> acceptable CAs are those from a file, not from a dir... > > Lots of people use CApath with OpenSSL. You need to run c_rehash, > and be mindful of the fact that the hash symlinks are different > for OpenSSL 0.9.x vs. 1.0.0 and later. Some versions of c_rehash > generate both.
I was concerned about exim's usage, not the OpenSSL library per se. It turns out that both OpenSSL and GnuTLS intentionally violate the letter of the standard in the relevant area (the list of acceptable CAs for client certificates that the server sends); hence the apparent failing of the exim usage is possibly moot (depending on whether other SSL libraries also ignore the list as received at the client). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
