2009/6/5 Victor B. Wagner <[email protected]>: > I think you are missing something with this idea. > > OpenSSL now provides two X509_LOOKUP_METHODS - lookup_file and > lookup_hashed_dir. First one requires big multi-cert file with > concatenated PEM certificates - exactly as your OS provided, I suppose. > > Second requires hashed dir with individual certs and CRLs one per file. > > And it is done for good reason: > > If you use lookup_file method, it loads entire file into memory. > And this file can be quite big, if you use CRL checks and have big > public CAs in your trusted certificate set - big public CA can have > multimegabyte CRLs. > > If you use lookup_dir method, OpenSSL would load only certificates and > CRLs when needed, one per time, and thus potentially save you much > space. > > Allowing to put multicertificate file into hashed dir would defeat > benefits of lookup_dir method. Although it would work. > > It is better to fix your daemon so it would allow both files and hashed > directories as trusted certificate store. > > It should be simple - both SSL_CTX_load_verify_locations (which should > be used for SSL peer certificate validation) and > X509_STORE_load_locations (which should be used for SMIME, timestamping > and outher non-SSL uses) accept two arguments - name of file and name > of directory. > > If your daemon uses default cert store location, than corresponding > X509_STORE_set_default_paths function supports file and dir too. > In this case you probably do not need to change code. You just have to > either set environment variable SSL_CERT_FILE pointing to you multicert > file, or make symlink pointing to this file named cert.pem in your > OPENSSLDIR (run openssl version -d to determine where your OPENSSL dir > is).
Hi, Okay, thanks for the explanation. I will patch the daemon instead and see if their upstream developers agree with the changes. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
