On Tue, Nov 09, 2010 at 01:45:15PM +0000, Bruce Stephens wrote:
> Michael Str??der <mich...@stroeder.com> writes:
>
> > Bruce Stephens wrote:
>
> [...]
>
> >> Ah, my fault. Obvious in retrospect: Debian's openssl finds the root
> >> cert because it's in the ca-certificates package!
> >
> > Did you use -CAfile as in my original posting when testing?
>
> I did.
>
> > Doesn't -CAfile set exclusively all trusted CA certs?
>
> Apparently not, the normal openssl.cnf is read and (on Debian, if
> ca-certificates is installed) that gives a set of extra CA certificates.
Correct. This *augments* the default certificate list, found in the
'certs/' sub-directory and 'cert.pem' file of the directory reported by
"openssl version -d".
>From crypto/cryptlib.h:
#define X509_CERT_AREA OPENSSLDIR
#define X509_CERT_DIR OPENSSLDIR "/certs"
#define X509_CERT_FILE OPENSSLDIR "/cert.pem"
The OpenSSL toolkit does not include any default roots. These are
configured by the O/S release engineering teams.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
