Current status

[Richard Laager]

On 2/11/19 11:49 PM, Hal Murray via devel wrote:
> OpenSSL has separate slots for root-cert dir and file.  How should I tell 
> which?  Should we have separate config options?

It's not absolutely necessary to support both. One or the other is
sufficient. If you're only going to support one, the file is probably
the better choice, but I can't fully articulate why. I think it is more
likely that someone would have a root CA file than a directory. I
suspect that more clients support the file approach, but I'm not at all
sure. I have far more experience configuring servers; my clients usually
just use the default system-wide distro root CA list.

If you support both, I think they should be mutually exclusive, even
though this isn't required by the OpenSSL API. You could take them as
separate configuration parameters. You could take it as one
configuration parameter and stat() it; if it's a directory, pass it to
SSL_CTX_set_default_verify_dir(), otherwise pass it to
SSL_CTX_set_default_verify_file().

> I think Fedora and Debian cat all the certs in a directory into a file and 
> then use that for the default.  Sounds like a speedup.

It is. The directory approach has (symlinks to) the certificates with a
name hash as the filename. As you noted, this should perform faster than
using a giant file with all the CA certificates.

> There is a similar ca slot per server.
>     char *ca;           /* if NULL, use the site default (normal case) */
> Why?  Are we really interested in per server root certs for certificate 
> checking?  If so, example please?

I doubt it is necessary to have per-server root certs.

-- 
Richard