Re: [exim-dev] Should we always load the default trust store…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Heiko Schlittermann
Date:  
À: exim-dev
Sujet: Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string
Viktor Dukhovni <viktor1dane@???> (Do 27 Nov 2014 19:24:46 CET):
>
> With OpenSSL that list (of distinguished names, not full certificates)
> is taken from the list of CAs in CAfile, with the CAs in CApath
> used only for verification, but not for "hinting".


Yes, this difference is mentioned in Exim's spec file.

> I don't know what GnuTLS does, but I generally recommend a short
> or empty CAfile, with verification-only certificates in CApath.
> This also yields a lower memory footprint. In other words,
> don't use an in-memory bundle file, use a hashed directory.


Is OpenSSL capabable of using the CAfile for hinting and using the
CApath for verification at the same time?

--
Heiko