Victor Duchovni:
> I guess our documentation has never promised the use of system CAs when
> CApath or CAfile are set, failing to override the system settings is
> counter-intuitive, so I can support this change. We'll also have to
> document the semantics of "CAfile == CApath == <empty>".
Why do we have to document or change Postfix default behavior?
Default Postfix behavior (empty CAfile and CApath) is a NOOP.
Postfix calls neither SSL_CTX_load_verify_locations() nor
SSL_CTX_set_default_verify_paths().
First, I don't see why we should change Postfix default behavior:
the problem is with non-default settings.
Second, I don't see how we could document existing Postfix default
behavior (empty CAfile and CApath), when that behavior is not
defined by the OpenSSL API.
OpenSSL source code does not count as a definition, nor do words
from OpenSSL programmers or code examples. They can change program
behavior because they are not bound by the contract of an API.
Wietse
