I think first option is better than the second one as it covers both
possibilities. It gives the user an option to specify a CA trust store file
to use and if not mentioned we can use the default.


On Thu, Jun 13, 2013 at 4:08 AM, Bartosz Brachaczek
<b.brachac...@gmail.com>wrote:

> 2013/6/12 Wojtek Kaniewski <wojte...@toxygen.net>:
> > As Bartosz wrote
> > the code for GnuTLS will be more complicated, so it may take some time.
>
> Do you have any plan for it? I have performed some research and the
> options seem to be to:
>
> 1) Have a build-time option to explicitly specify a CA trust store
> file to use, and if not specified, default to the first existing of:
>    /etc/ssl/certs/ca-certificates.crt (Debian, Gentoo, Arch),
>    /etc/pki/tls/cert.pem (Fedora),
>    /etc/ssl/ca-bundle.pem (OpenSUSE),
>    /usr/local/share/certs/ca-root-nss.crt (FreeBSD),
>    /etc/ssl/cert.pem (OpenBSD)
>
> If specified, we could use the configured file and ignore system
> default altogether for both OpenSSL and GnuTLS. But if it was guessed,
> probably we should rather use OpenSSL's and GnuTLS's (in case of
> GnuTLS 3.0 or newer) default.
>
> 2) Another option would be to simply hard-code all these paths for
> GnuTLS older than 3.0 and not provide any build-time option at all.
> And as I'm thinking about that, it actually seems to be the best
> option to me.
>
> 3) For the sake of completeness: We could also require GnuTLS v3, but
> it's really a no-go because we should fix this issue in the 1.11 line
> and raising library requirements to something that even Debian 7.0
> doesn't have is a very bad idea.
>
> What do you think?
>
> --Bartosz
> _______________________________________________
> libgadu-devel mailing list
> libgadu-devel@lists.ziew.org
> http://lists.ziew.org/mailman/listinfo/libgadu-devel
>



-- 




Regards,
Radhesh Krishnan K.
_______________________________________________
libgadu-devel mailing list
libgadu-devel@lists.ziew.org
http://lists.ziew.org/mailman/listinfo/libgadu-devel

Reply via email to