On Thu, Nov 27, 2014 at 09:44:12PM +0100, Heiko Schlittermann wrote:
> > I don't know what GnuTLS does, but I generally recommend a short
> > or empty CAfile, with verification-only certificates in CApath.
> > This also yields a lower memory footprint. In other words,
> > don't use an in-memory bundle file, use a hashed directory.
>
> Is OpenSSL capabable of using the CAfile for hinting and using the
> CApath for verification at the same time?
Absolutely, if you specify both, only CAfile is used for hinting,
but both are used for verification.
--
Viktor.
