On Tue, Mar 03, 2015 at 01:43:38PM +0100, Ludovic Courtès wrote:
> I just checked the source and OpenSSL itself does not use SSL_CERT_FILE
> nor SSL_CERT_DIR at all. Lynx does use SSL_CERT_FILE, but that’s really
> in Lynx, not in libssl. So I don’t think there should be a search path
> specification for OpenSSL. This is unfortunate, but it looks like we
> can’t do much.
I just did a "strings" and "grep" on the binaries and libs. SSL_CERT_DIR
appears in bin/c_rehash and lib/libcrypto.so, and SSL_CERT_FILE also appears
in the latter.
In the source code,
$ find -type f -exec grep -H SSL_CERT_DIR {} \;
yields:
./crypto/cryptlib.h:# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
./tools/c_rehash.in:} elsif($ENV{SSL_CERT_DIR}) {
./tools/c_rehash.in: @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
./tools/c_rehash:} elsif($ENV{SSL_CERT_DIR}) {
./tools/c_rehash: @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
./doc/apps/c_rehash.pod:processed in turn. If not, then the B<SSL_CERT_DIR>
environment variable
./doc/apps/c_rehash.pod:=item B<SSL_CERT_DIR>
and
$ find -type f -exec grep -H SSL_CERT_FILE {} \;
privat@debian:/tmp/openssl-1.0.2$ find -type f -exec grep -H SSL_CERT_FILE {} \;
./crypto/cryptlib.h:# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
So I think it is used and our search path is fine.
By the way, in the next core-updates round, we may wish to erase the empty
directories ssl/certs and ssl/private.
Andreas
