[openssl-users] SSL_CTX_load_verify_locations only with CAPath

Salz, Rich rsalz at akamai.com
Tue Jul 7 14:36:26 UTC 2015


> I thought, as the doc has (always? long?) said, that CApath must have each
> cert (or CRL) in a separate file. But on checking I see that by_dir.c actually calls
> X509_load_{cert,crl}_file from by_file.c, which for PEM loads all certs (or crls)
> in a file to the working context. Thus a hashlink to only the 3rd cert in a file,
> where that 3rd cert is the only one you need, actually works even though not
> documented and I'm not sure intended.

That's definitely sub-optimal.  Can you open a ticket for this?


More information about the openssl-users mailing list