Autor: Heiko Schlittermann Data: Para: exim-dev Asunto: Re: [exim-dev] Should we always load the default trust store? (was:
tls_verify_certificates forced failure vs. empty) string
Viktor Dukhovni <viktor1dane@???> (Do 27 Nov 2014 19:24:46 CET): >
> With OpenSSL that list (of distinguished names, not full certificates)
> is taken from the list of CAs in CAfile, with the CAs in CApath
> used only for verification, but not for "hinting".
Yes, this difference is mentioned in Exim's spec file.
> I don't know what GnuTLS does, but I generally recommend a short
> or empty CAfile, with verification-only certificates in CApath.
> This also yields a lower memory footprint. In other words,
> don't use an in-memory bundle file, use a hashed directory.
Is OpenSSL capabable of using the CAfile for hinting and using the
CApath for verification at the same time?