Good day, I was using openssl verify as described in the Pastebin link to validate a cert, using a custom root store indicated with the -CAfile option. The custom root store contains a Comodo root, the cert to be validated is signed by Equifax. The expected result would be for that check to fail.
However, it does not: it verifies with "OK". This happens on Ubuntu and very likely also on Fedora, which makes me think it might be an upstream issue. Both OS have default root stores configured for openssl. I would like to ask for confirmation from this ML if this kind of behaviour is unexpected as I would expect -CAfile to overwrite any default root store: http://pastebin.com/3CZHbKYg https://bugzilla.redhat.com/show_bug.cgi?id=884305 Am I missing something or is this a bug? If it is a bug - this would mean you verify against your distro's root store even if you think you have chosen your own roots only. Also, would the same thing happen if you use libssl-dev? Thanks for any clarification on this issue. Thanks, Ralph ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
