Hi Kyle Kyle Hamilton wrote: > OpenSSL does not distribute a CA bundle anymore. What is your > OS/vendor? What is the name of the file that it was actually > validating against, including full pathname? > > Which version of OpenSSL are you working with, also? > On my centos 5.2 the bundle is in /etc/pki/tls/cert.pem. When I set the environment variable SSL_CERT_FILE=/dev/null it works as I want it too. An strace verifies that it doesn't open /etc/pki/tls/cert.pem and also reads the root CA in my select CApath.
> -Kyle H > > On Tue, Mar 17, 2009 at 9:26 PM, Rodney McDuff <mcd...@its.uq.edu.au> wrote: > >> I am doing some verifying with openssl on a chain of certs with a >> (versign) root CA and all other certs in the CApath directory and it was >> giving me a "OKs". A little stracing showed me that openssl was using >> the versign root in the openssl ca bundle and not my versign root in my >> CApath directory. So even if I removed the versign root from my CApath >> directory it would still verify OK. >> >> As my purpose is to verify against a single set of certs (not two sets >> of certs) this behavior is annoying. I can just delete the openssl ca >> bundle and get the behavior I want but what else will this break on the >> machine. I can't seem to find a cmdline switch or environment variable >> to stop it's ca bundle. >> >> Any ideas. >> >> -- >> Dr. Rodney G. McDuff |Ex ignorantia ad sapientiam >> Manager, Strategic Technologies Group| Ex luce ad tenebras >> Information Technology Services | >> The University of Queensland | >> EMAIL: mcd...@its.uq.edu.au | >> TELEPHONE: +61 7 3365 8220 | >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Dr. Rodney G. McDuff |Ex ignorantia ad sapientiam Manager, Strategic Technologies Group| Ex luce ad tenebras Information Technology Services | The University of Queensland | EMAIL: mcd...@its.uq.edu.au | TELEPHONE: +61 7 3365 8220 | ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
