I agree adding a new API for T.E. which applications could opt in to would be fine. But could T.E. ever be enabled by default without breaking the existing API and requiring application changes?
Yes it could. For example, you’d have to add meta-data identifying the ‘directory of certs’ that are typically used so that it could become a named trust store. Assume that’s a fixed filename, like “trust-store-id.txt” or something. Then when you specify that directory (e.g., via [1]) it could look for the fixed filename and send that identifying information. Of course there are many ways in OpenSSL to specify how you want to trust things, but at least you’d have a migration path. [1] https://www.openssl.org/docs/man3.0/man3/SSL_CTX_load_verify_locations.html
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
