[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5582) Default OpenSSL certs are only used when TLS_CACERT(DIR)

Howard Chu writes:
> Sounds like this works as designed.  The docs tell you that
> either CACERT or CACERTDIR must be explicitly configured.

Maybe, but in that case the bug is that configuring them to an
irrelevant certificate works as a "use the OpenSSL defaults" flag.

Which is weird at best.  And broke our testing: We thought we checked
that certain of our users and clients had updated to use our new cert,
but actually we just checked that the OpenSSL installations on the test
hosts had the CyberTrust root cert.  Which got really confusing when we
later tried to get some test clients without the new cert to fail.

However if we turn this off (remove SSL_CTX_set_default_verify_paths()),
we'll likely break existing installations that (intentionally or not)
make use of this feature.  (Like some of the clients we supposedly

Thus it seemed best to always load them.  Though OTOH I suppose it's not
such a good idea to trust a bunch of certs without being asked to do so.
Yet if you can't trust your OpenSSL maintainer...
Could add a keyword to turn on (or off) loading of defaults, but I do
think it should be independent of whether TLS_CACERT(DIR) have been set.