[openssl-users] SSL_CTX_load_verify_locations only with CAPath

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Salz, Rich
> Sent: Tuesday, July 07, 2015 08:36
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] SSL_CTX_load_verify_locations only with
> CAPath
> 
> > I thought, as the doc has (always? long?) said, that CApath must have each
> > cert (or CRL) in a separate file. But on checking I see that by_dir.c actually
> calls
> > X509_load_{cert,crl}_file from by_file.c, which for PEM loads all certs (or
> crls)
> > in a file to the working context. Thus a hashlink to only the 3rd cert in a file,
> > where that 3rd cert is the only one you need, actually works even though
> not
> > documented and I'm not sure intended.
> 
> That's definitely sub-optimal.  Can you open a ticket for this?

Is it? It could be useful - you could have multiple certificates in one or more files in the certificate directory, and make multiple hash links (hard or symbolic, on filesystems where those are both options) to that physical file. I can see use cases for that. At the very least, it saves extracting all the certificates from a PEM file when creating the certificate directory, if you use a script that gets the hash value of each certificate in the file.

I personally don't much care, but I could believe that someone else might find that useful.

-- 
Michael Wojcik
Technology Specialist, Micro Focus