On Mon, Sep 22, 2014 at 05:26:30PM +0100, Jeremy Harris wrote:
> > Lots of people use CApath with OpenSSL. You need to run c_rehash,
> > and be mindful of the fact that the hash symlinks are different
> > for OpenSSL 0.9.x vs. 1.0.0 and later. Some versions of c_rehash
> > generate both.
>
> I was concerned about exim's usage, not the OpenSSL library per se.
>
> It turns out that both OpenSSL and GnuTLS intentionally violate
> the letter of the standard in the relevant area (the list of
> acceptable CAs for client certificates that the server sends);
> hence the apparent failing of the exim usage is possibly moot
> (depending on whether other SSL libraries also ignore the
> list as received at the client).
Oh, for purposes of sending the acceptable CAs hint, indeed only
CAfile is used. CApath CA DNs are accepted for validation, but
deliberately (and I think correctly) not sent to the client.
--
Viktor.