On Wed, Jun 09, 2010 at 06:39:26PM +0200, Jan C. wrote:
> On Wed, Jun 9, 2010 at 6:35 PM, Victor Duchovni
> <victor.ducho...@morganstanley.com> wrote:
> > Probably, although I don't think we've reached a final decision yet...
> > My preference is to not trust some random list of CAs that came with the
> > O/S OpenSSL package when the user specifies an explicit CAfile/CApath,
> > but this would be an incompatible change.
> >
> > In my case, the OpenSSL package I use is built by me, and has an empty
> > default list of trusted CAs, so I never notice the extra default certs.
> >
>
> ok, could you please point me to the place where one can set those
> paths while building OpenSSL ?
You are too lazy to run "Configure --help"? OK, though it is off-topic
here:
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...]
[experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx]
[no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386]
--> [--prefix=DIR]
--> [--openssldir=OPENSSLDIR]
[--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]
If only specify "prefix" the cert directory is $prefix/ssl, otherwise
it is $openssldir, in which OpenSSL itself does not place any default
certificates, that's done by vendor package maintainers. OpenSSL itself
installs just:
.../ssl/
.../ssl/openssl.cnf
.../ssl/private/
.../ssl/certs/
.../ssl/misc/
.../ssl/misc/CA.pl
.../ssl/misc/CA.sh
.../ssl/misc/c_hash
.../ssl/misc/c_info
.../ssl/misc/c_issuer
.../ssl/misc/c_name
.../ssl/misc/tsget
--
Viktor.
