Bonjour,
See apps/apps.c, function setup_verify. It receives 2 arguments CAfile
and CApath.
Each one is processed independently, and if either one is NULL, its
corresponding default is used.
--
Erwann ABALEA
Le 06/12/2012 10:38, Ralph Holz a écrit :
Good day,
I was using openssl verify as described in the Pastebin link to validate
a cert, using a custom root store indicated with the -CAfile option. The
custom root store contains a Comodo root, the cert to be validated is
signed by Equifax. The expected result would be for that check to fail.
However, it does not: it verifies with "OK". This happens on Ubuntu and
very likely also on Fedora, which makes me think it might be an upstream
issue. Both OS have default root stores configured for openssl.
I would like to ask for confirmation from this ML if this kind of
behaviour is unexpected as I would expect -CAfile to overwrite any
default root store:
http://pastebin.com/3CZHbKYg
https://bugzilla.redhat.com/show_bug.cgi?id=884305
Am I missing something or is this a bug?
If it is a bug - this would mean you verify against your distro's root
store even if you think you have chosen your own roots only.
Also, would the same thing happen if you use libssl-dev?
Thanks for any clarification on this issue.
Thanks,
Ralph
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
