Re: [exim-dev] Should we always load the default trust store…

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-dev
Temat: Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string
On Thu, Nov 27, 2014 at 09:44:12PM +0100, Heiko Schlittermann wrote:

> > I don't know what GnuTLS does, but I generally recommend a short
> > or empty CAfile, with verification-only certificates in CApath.
> > This also yields a lower memory footprint. In other words,
> > don't use an in-memory bundle file, use a hashed directory.
>
> Is OpenSSL capabable of using the CAfile for hinting and using the
> CApath for verification at the same time?


Absolutely, if you specify both, only CAfile is used for hinting,
but both are used for verification.

-- 
    Viktor.