In my setup, I installed openssl to /usr/local/ssl. In that dir there is a /certs directory which is empty. However, in my source dir /usr/local/src/openssl-0.9.7b/certs/ there over 20 .pem files (and their associated hashes) which look to be the trusted root certificates. Should those be copied to /usr/local/ssl/certs, or remain where they are?
Also, when applications such as Apache and Sendmail are compiled with openssl does the opensll library know to look in the orginal source area for those certs even though I've told those apps that the openssl libs are in /usr/local/ssl?
My experience is that programs have configuration files, and there is a line in the configuration file that says where the certificates are to be found. I have only used the command line tools (haven't done any programming) but I believe there is a subroutine that is passed the name of the certs directory and/or the name of a file of certs to be read, and that other than this the library knows nothing of standard system locations where things are to be found.
I'm hesitant to start giving read access to all the application's "run as" users to the ssl directories. Consequently Im wondering wehter the openssl libs have root access even though Apache might be running as "nobody"? Or, do I duplicate all the certs in each app's respective directories? Or even, do I create a new user id for all of those apps to run as so that I can grant access to a common directory? How's this normally handled by yourself and others?
I do not at all believe that the SSL libraries have ANY access permissions above and beyond those of the process calling them.
IMHO giving somebody read access to a certificate is not a security exposure. Anybody can connect to a secure server's port and get a list of certificates at any time. Only the private keys should be sacred.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
