> > On Jun 1, 2019, at 7:17 PM, Michael Osipov <1983-01...@gmx.net> wrote: > > > > Can you please explain why not simple PEM bundles like OpenSSL have been > > chosen? > > Is that /etc/ssl/certs on Ubuntu? It's a directory containing a lot of PEM > files. Do you prefer this style or a big file containing multiple PEM blocks?
Hi Max, I prefer the latter. This works flawlessly for OpenSSL-based apps on FreeBSD, RHEL and HP-UX for me: RHEL: $ ll /etc/ssl/certs/ca-bundle.crt lrwxrwxrwx. 1 root root 49 2018-11-02 15:15 /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem FreeBSD: # ll /usr/local/etc/ssl/cert.pem -rw-r--r-- 1 root wheel 1073753 2019-07-31 10:14 /usr/local/etc/ssl/cert.pem HP-UX: # ll /opt/openssl/cert.pem -rw-r--r-- 1 root sys 1081003 2019-04-18 11:45 /opt/openssl/cert.pem These bundles contain public-known CAs from Mozilla as well as all intermediate and root CAs from our company: https://new.siemens.com/global/en/general/legal/ca-certificates.html I think this is the function doing the magic: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html Michael
