Hi, > See apps/apps.c, function setup_verify. It receives 2 arguments CAfile > and CApath. > Each one is processed independently, and if either one is NULL, its > corresponding default is used. >
Thanks for the quick reply. The openssl docs at http://www.openssl.org/docs/apps/verify.html say: -CAfile file A file of trusted certificates. "The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root CA is always looked up in the trusted certificate list: if the certificate to verify is a root certificate then an exact match must be found in the trusted list." This has led me to believe -CAfile would cause openssl to ignore a default path to certs. I am surprised CAPath is still evaluated if you indicate a CAFile. However, as strace shows: http://pastebin.com/Ckq67h0D CAPath is indeed evaluated as you say. So would you argue that this behaviour should be expected? If so, I would argue it should be stated in the docs (and not just in the code). Ralph ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
