There's the same behaviour with -CAfile. If -CAfile isn't specified,
then the default platform CA file is used (by default,
/usr/lib/ssl/cert.pem).
This is true for verify, ocsp, smime, and cms.
I personally don't think it's unexpected for the openssl app. I'd even
like it to be extended to other parts (ts, s_client, s_server, ...).
Documented, of course.
But only for the app.
--
Erwann ABALEA
Le 06/12/2012 20:39, Chris Palmer a écrit :
On Thu, Dec 6, 2012 at 2:16 AM, Ralph Holz
<ralph-openssl-...@ralphholz.de> wrote:
-CAfile file A file of trusted certificates.
"The lookup first looks in the list of untrusted certificates and if no
match is found the remaining lookups are from the trusted certificates.
The root CA is always looked up in the trusted certificate list: if the
certificate to verify is a root certificate then an exact match must be
found in the trusted list."
This has led me to believe -CAfile would cause openssl to ignore a
default path to certs. I am surprised CAPath is still evaluated if you
indicate a CAFile. However, as strace shows:
I've attached a diff against HEAD for verify.pod. Is it any good?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
