Hi, Yes, that clarifies the issue for me.
One thing I am wondering about now (as a user) would be how to get openssl to disregard any local trusted cert list - i.e. how do I get it to act on the provided CAFile only? Do I need to remove the complete local root store? Or can I set the CAPath to "." and then openssl will not fall back to default settings? I think that information is what users are really looking for. Ralph On 12/06/2012 09:32 PM, Chris Palmer wrote: > On Thu, Dec 6, 2012 at 12:00 PM, Erwann Abalea > <erwann.aba...@keynectis.com> wrote: > >> There's the same behaviour with -CAfile. If -CAfile isn't specified, then >> the default platform CA file is used (by default, /usr/lib/ssl/cert.pem). >> This is true for verify, ocsp, smime, and cms. > > Oh, right. New diff attached. > -- Ralph Holz Network Architectures and Services Technische Universität München Phone +49 89 28918043 http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
