There doesn't seem to be any documentation in the .pod files of the
"SSL_CTX_set_default_paths" function or of the environment variables
"SSL_CERT_FILE" and "SSL_CERT_DIR" which can change the value it
returns. This came up recently in discussion on the wget list. The
"wget" file retriever does not use the defaults (instead specifying
the location of the trusted certificate each time on the command
line), and the developers were not familiar with this function to
set the default paths. Is the lack of documentation an oversight (or
on the "to-do" list), or is use of the default paths deprecated?
There was some hesitancy on the wget list to use an openssl function
that doesn't seem to have documentation. This has affected other
applications also. The "curl" file retriever sets its own default
locations (also related to the developers having been unfamiliar with
the function when its ssl code was written). The "lynx" browser does
use "SSL_CTX_set_default_paths". I am not sure what other applications
which link to the openssl library do.
Can anyone comment on the status of "SSL_CTX_set_default paths"
and the associated functions (X509_STORE_set_default_paths,
X509_LOOKUP_file, X509_LOOKUP_hash_dir, by_file_ctrl,
X509_get_default_file_cert_env, X509_get_default_cert_dir_env and
dir_ctrl)?
Also, the function "dir_ctrl" in crypto/x509/by_dir.c looks wrong to
me. Shouldn't it be checking for the environment variable first, then
getting the default if no environment variable is specified (the way
by_file_ctrl does in crypto/x509/by_file.c)? Sorry if I am misreading
what that function is doing. The code looks the same in 0.9.7 and
0.9.8.
Doug
--
Doug Kaufman
Internet: [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
