guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCHES] profiles: Produce a single-file CA certificate bundle


From: Andreas Enge
Subject: Re: [PATCHES] profiles: Produce a single-file CA certificate bundle
Date: Tue, 3 Mar 2015 13:55:08 +0100
User-agent: Mutt/1.5.23 (2014-03-12)

On Tue, Mar 03, 2015 at 01:43:38PM +0100, Ludovic Courtès wrote:
> I just checked the source and OpenSSL itself does not use SSL_CERT_FILE
> nor SSL_CERT_DIR at all.  Lynx does use SSL_CERT_FILE, but that’s really
> in Lynx, not in libssl.  So I don’t think there should be a search path
> specification for OpenSSL.  This is unfortunate, but it looks like we
> can’t do much.

I just did a "strings" and "grep" on the binaries and libs. SSL_CERT_DIR
appears in bin/c_rehash and lib/libcrypto.so, and SSL_CERT_FILE also appears
in the latter.

In the source code,
$ find -type f -exec grep -H SSL_CERT_DIR {} \;
yields:

./crypto/cryptlib.h:# define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
./tools/c_rehash.in:} elsif($ENV{SSL_CERT_DIR}) {
./tools/c_rehash.in:    @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
./tools/c_rehash:} elsif($ENV{SSL_CERT_DIR}) {
./tools/c_rehash:       @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
./doc/apps/c_rehash.pod:processed in turn. If not, then the B<SSL_CERT_DIR> 
environment variable
./doc/apps/c_rehash.pod:=item B<SSL_CERT_DIR>

and
$ find -type f -exec grep -H SSL_CERT_FILE {} \;

address@hidden:/tmp/openssl-1.0.2$ find -type f -exec grep -H SSL_CERT_FILE {} 
\;
./crypto/cryptlib.h:# define X509_CERT_FILE_EVP       "SSL_CERT_FILE"

So I think it is used and our search path is fine.

By the way, in the next core-updates round, we may wish to erase the empty
directories ssl/certs and ssl/private.

Andreas




reply via email to

[Prev in Thread] Current Thread [Next in Thread]