> From: owner-openssl-us...@openssl.org On Behalf Of flowher > Sent: Saturday, 27 October, 2012 09:03 > To: openssl-users@openssl.org > Subject: Certificate lookup > > I'm using 'openssl verify -CApath /something/cert CERT_TO_VERIFY' to > verify certificate chains. > I just found out that some certificates are positively > verified even if > I do not provide argument '-CApath /something/cert'. Root > cause of such > behavior is the fact that openssl uses certificates in > /etc/ssl/certs in > order look for certificates. Is it possible to disable this lookup? > I already tried to set OPENSSL_CONF=/dev/null, but after I found out > that it can only be used to specify alternative location for > openssl.cnf, which is also weird for me. Do you know why 'openssl > verify' looks in /etc/ssl/openssl.cnf? I mean - what exactly > it tries to > find in this file? > 'verify' doesn't use any config settings, thus doesn't need any config file unless you use it to load modules and I don't know any modules you'd want to load for 'verify' but I don't know all.
The default or specified truststore is unrelated to the default or specified config file, except both defaults are in OPENSSLDIR, which varies by build and platform and may be /etc/ssl for you. Last I looked at this you can change the default truststore (file and dir) only by setting OPENSSLDIR at build time. Almost as you found, specifying -CApath and -CAfile overrides the defaults; you must specify both to override both, if both default file and dir exist and you want neither. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
