On 19/05/2016 18:19, Viktor Dukhovni wrote: > With 0.9.8 s_client or s_server will be able to use the default > CApath that is probably hashed with the 0.9.8-compatible hash > algorithm, allowing either or both to construct a more complete > chain, Indeed, I find it very confusing that specifying -CAfile or -CApath to the various "apps" doesn't override the default value of the other, causing various tests to trust additional certificates not intended to be trusted by that test. This hit me when I was trying to test yesterdays question about the numbering of certificate depths in error messages, as openssl verify kept accepting the test case despite using a CAfile without the relevant root. I had to pass in a dummy (empty) -CApath to get the expected results. Also, passing an empty file (such as /dev/null) for -CAfile causes an error, forcing the use of an irrelevant certificate file to trust an empty list of certificates. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
