Stuart Henderson <st...@openbsd.org> writes: > On 2014/03/28 22:09, Philip Guenther wrote: >> On Thu, Mar 27, 2014 at 3:33 AM, Jérémie Courrèges-Anglas >> <j...@wxcvbn.org> wrote: >> > Thanks sthen@ for noticing it, ftp(1) doesn't perform SNI, Server Name >> > Indication. (try eg. https://www.stunnel.org/) >> > >> > Here's a diff to improve the situation (first and last hunks). While >> > I can get some eyes for a review, let's add some more changes. ;) >> >> The other changes look ok to me, but I am unable to find any >> documentation SSL_set_tlsext_host_name() to reassure me that it's >> being used correctly here, or even that it's useful. >> >> :-( >> >> >> Philip Guenther >> > > Given that they don't even document that there's an environment variable > which overrides the system CA cert.pem path (which is kind-of > security-important > information), I think this is pretty much par for the course :(
We don't call SSL_CTX_set_default_verify_paths(), so the SSL_CERT_FILE environment variable isn't recognized. Yes, SSL_CTX_set_default_verify_paths() isn't documented. ;) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE