I think first option is better than the second one as it covers both possibilities. It gives the user an option to specify a CA trust store file to use and if not mentioned we can use the default.
On Thu, Jun 13, 2013 at 4:08 AM, Bartosz Brachaczek <b.brachac...@gmail.com>wrote: > 2013/6/12 Wojtek Kaniewski <wojte...@toxygen.net>: > > As Bartosz wrote > > the code for GnuTLS will be more complicated, so it may take some time. > > Do you have any plan for it? I have performed some research and the > options seem to be to: > > 1) Have a build-time option to explicitly specify a CA trust store > file to use, and if not specified, default to the first existing of: > /etc/ssl/certs/ca-certificates.crt (Debian, Gentoo, Arch), > /etc/pki/tls/cert.pem (Fedora), > /etc/ssl/ca-bundle.pem (OpenSUSE), > /usr/local/share/certs/ca-root-nss.crt (FreeBSD), > /etc/ssl/cert.pem (OpenBSD) > > If specified, we could use the configured file and ignore system > default altogether for both OpenSSL and GnuTLS. But if it was guessed, > probably we should rather use OpenSSL's and GnuTLS's (in case of > GnuTLS 3.0 or newer) default. > > 2) Another option would be to simply hard-code all these paths for > GnuTLS older than 3.0 and not provide any build-time option at all. > And as I'm thinking about that, it actually seems to be the best > option to me. > > 3) For the sake of completeness: We could also require GnuTLS v3, but > it's really a no-go because we should fix this issue in the 1.11 line > and raising library requirements to something that even Debian 7.0 > doesn't have is a very bad idea. > > What do you think? > > --Bartosz > _______________________________________________ > libgadu-devel mailing list > email@example.com > http://lists.ziew.org/mailman/listinfo/libgadu-devel > -- Regards, Radhesh Krishnan K.
_______________________________________________ libgadu-devel mailing list firstname.lastname@example.org http://lists.ziew.org/mailman/listinfo/libgadu-devel