I am not sure I understand the history or design considerations in
having a ca cert bundle default that is separate from that specified in
OpenSSL. OpenSSL calls its default ca cert bundle "cert.pem" and puts it
in the OpenSSL directory (but configurable when you create libcrypto).
It provides the environment variable "SSL_CERT_FILE" to override
this at run time. Similar measures exist for a hashed cert directory
(SSL_CERT_DIR). There are functions such as "X509_get_default_cert_file"
and "X509_get_default_cert_file_env", with the module usually handling
this in crypto/x509/by_file.c. Similar functions for the hashed cert
directory are in by_dir.c Curl seems to ignore these and uses a default
ca cert bundle called "curl-ca-bundle.crt" put in /usr/share/curl and
overrides this at run time with "CURL_CA_BUNDLE".

Using the defaults could lead unintentionally to two different ca cert
bundles on the system, which might not be updated together (unless one
was just a link to the other). I was curious as to why curl chose this
route. If I were designing from scratch, I might have had curl use first
the value specified on the command line (--cacert), then the value
specified in the environment variable SSL_CERT_FILE, then the OpenSSL
default cert bundle. Now curl uses the value from the command line
first, then the value from CURL_CA_BUNDLE, then the curl default bundle.

Sorry if I misunderstand or if this has been discussed at length before,
as I am new to the curl-users list.
                              Doug

-- 
Doug Kaufman
Internet: dkaufman_at_rahul.net
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01