"Kyle J. McKay" <mackyle@xxxxxxxxx> writes: > On my OS X platform depending on which version of OpenSSL I'm using, > the OPENSSLDIR path would be one of these: > > /System/Library/OpenSSL > /opt/local/etc/openssl > > And neither of those uses a "certs" directory, they both use a > "cert.pem" bundle instead: > > $ ls -l /System/Library/OpenSSL > total 32 > lrwxrwxrwx 1 root wheel 42 cert.pem -> ../../../usr/share/curl/ > curl-ca-bundle.crt > drwxr-xr-x 2 root wheel 68 certs > drwxr-xr-x 8 root wheel 272 misc > -rw-r--r-- 1 root wheel 9381 openssl.cnf > drwxr-xr-x 2 root wheel 68 private > # the certs directory is empty > > $ ls -l /opt/local/etc/openssl > total 32 > lrwxrwxrwx 1 root admin 35 cert.pem@ -> ../../share/curl/curl- > ca-bundle.crt > drwxr-xr-x 9 root admin 306 misc/ > -rw-r--r-- 1 root admin 10835 openssl.cnf > > Notice neither of those refers to /etc/ssl/certs at all. > > So the short answer is, yes, hard-coding /etc/ssl/certs as the path on > OS X is incorrect and if setting /etc/ssl/certs as the path has the > effect of replacing the default locations the verification will fail. The current code says "if nothing is specified, let's pretend /etc/ssl/certs was specified. Then if it is a directory, use it with SSL_ca_path, if it is a file, use it with SSL_ca_file, if it does not exist, do not even attempt verification." And that "let's pretend" breaks Fedora, where "/etc/ssl/certs" is a directory but is not meant to be used with SSL_ca_path---we try to use /etc/ssl/certs with SSL_ca_path and verification fails miserably. If I am reading the code correctly, if /etc/ssl/certs does not exist on the filesystem at all, it wouldn't even attempt verification, so I take your "the verification will fail" to mean that you forgot to also mention "And on OS X, /etc/ssl/certs directory still exists, even though OpenSSL does not use it." If that is the case, then our current code indeed is broken in exactly the same way for OS X as for Fedora. The proposed change in this thread would stop the defaulting altogether, and still ask verification to the library using its own default, so I can see how that would make the setting you described used on OS X work properly. In short, I agree with you on both counts (the current code is wrong for OS X, and the proposed change will fix it). I just want to make sure that my understanding of the current breakage is in line with the reality ;-) Thanks. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html