Article delegate-en/4061 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4060@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to verify a server's certificate?
11 Aug 2008 06:58:14 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hallo,

In message <_A4060@delegate-en.ML_> on 08/11/08(11:45:44) I wrote:
 |Maybe it is because sslway.c loades the default location of certificates
 |together with the explicitly specified certificates.
 |If it is the case, it can be disabled by removing the call to
 |"SSL_CTX_set_default_verify_paths(ctx)" from ssl_setCAs() in
 |filters/sslway.c.

I searched documents about "SSL_CTX_set_default_verify_paths()" but it
seems not so well documented.
The function seems to use two environment variables (defined in
OpenSSL/crypto/cryptlib.h as X509_CERT_{DIR,FILE}_EVP) to override built-in
definitions for the default file and the directory of certificates
(defined in the file as X509_CERT_{DIR,FILE}) as this:

   command-arg.    environment-var.        builtin-constant
  -CAfile file >>  SSL_CERT_FILE=file  >>  OPENSSLDIR/cert.pem
  -CApath dir  >>  SSL_CERT_DIR=dir    >>  OPENSSLDIR/certs

Thus I think setting SSL_CERT_DIR environment variable to an empty
directory will be effective to solve your problem, without changing
the code of DeleGate.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V