On Sat, 5 Jul 2003, Doug Kaufman wrote:

> I am not sure I understand the history or design considerations in having a
> ca cert bundle default that is separate from that specified in OpenSSL.

AFAIK, there is none in the OpenSSL package and thus this wasn't a tricky
decision. There simply is no "standard" ca cert bundle path so we made our
own.

You can also tell the configure script to use a different one, if the curl one
isn't good for you.

> OpenSSL calls its default ca cert bundle "cert.pem" and puts it in the
> OpenSSL directory (but configurable when you create libcrypto).

I don't have such a file and I have 0.9.7a installed. I guess I would need
some additional configure paramaters or something when I built OpenSSL.

> It provides the environment variable "SSL_CERT_FILE" to override this at run
> time. Similar measures exist for a hashed cert directory (SSL_CERT_DIR).
> There are functions such as "X509_get_default_cert_file" and
> "X509_get_default_cert_file_env", with the module usually handling this in
> crypto/x509/by_file.c. Similar functions for the hashed cert directory are
> in by_dir.c Curl seems to ignore these and uses a default ca cert bundle
> called "curl-ca-bundle.crt" put in /usr/share/curl and overrides this at run
> time with "CURL_CA_BUNDLE".

Yes, because all of this OpenSSL magic you explain here is news to me. You are
the first person who brings this up.

> Using the defaults could lead unintentionally to two different ca cert
> bundles on the system, which might not be updated together (unless one was
> just a link to the other).

Yes, but how many people do actually have a ca cert bundle in the OpenSSL dir?

> I was curious as to why curl chose this route.

Because it has been unknown to me and the others who helped me make curl
behave like this.

> If I were designing from scratch, I might have had curl use first the value
> specified on the command line (--cacert), then the value specified in the
> environment variable SSL_CERT_FILE, then the OpenSSL default cert bundle.
> Now curl uses the value from the command line first, then the value from
> CURL_CA_BUNDLE, then the curl default bundle.

I agree we should try the SSL_CERT_FILE and the "OpenSSL default cert bundle"
before CURL_CA_BUNDLE and the curl default. It sounds like the right approach.

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01