Great. This is also easy for me. --Max
> On Aug 2, 2019, at 5:20 PM, Michael Osipov <1983-01...@gmx.net> wrote: > >>> On Jun 1, 2019, at 7:17 PM, Michael Osipov <1983-01...@gmx.net> wrote: >>> >>> Can you please explain why not simple PEM bundles like OpenSSL have been >>> chosen? >> >> Is that /etc/ssl/certs on Ubuntu? It's a directory containing a lot of PEM >> files. Do you prefer this style or a big file containing multiple PEM blocks? > > Hi Max, > > I prefer the latter. This works flawlessly for OpenSSL-based apps on FreeBSD, > RHEL and HP-UX for me: > > RHEL: > $ ll /etc/ssl/certs/ca-bundle.crt > lrwxrwxrwx. 1 root root 49 2018-11-02 15:15 /etc/ssl/certs/ca-bundle.crt -> > /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > FreeBSD: > # ll /usr/local/etc/ssl/cert.pem > -rw-r--r-- 1 root wheel 1073753 2019-07-31 10:14 > /usr/local/etc/ssl/cert.pem > HP-UX: > # ll /opt/openssl/cert.pem > -rw-r--r-- 1 root sys 1081003 2019-04-18 11:45 /opt/openssl/cert.pem > > These bundles contain public-known CAs from Mozilla as well as all > intermediate and root CAs from our company: > https://new.siemens.com/global/en/general/legal/ca-certificates.html > > I think this is the function doing the magic: > https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html > > Michael
