On 12/4/24 15:35, Brian Julin wrote:
Orion Poplawski <orion@nwra.com>
It appears that if ca_file is specified, ca_path is not used. It doesn't seem like this is explicitly stated in the docs. Is this expected?
That's the general behavior of most applications that directly use OpenSSL libraries, at least the ones I have seen. It's usually file of path, one or the other, not both.
The behavior like comes from OpenSSL API, so it would have seemed obvious to someone who uses that library often when they were writing the docs, but yes it might be useful to elaborate in the documentation, and maybe a link to some generic OpenSSL-hosted source that explains their basic PKI directory schemes.
Hmm, I'm not entirely sure this is true for the FreeRADIUS case - it calls: /* Load the CAs we trust */ if (conf->ca_file || conf->ca_path) if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) { tls_error_log(NULL, "Error reading Trusted root CA list \"%s\"", conf->ca_file); X509_STORE_free(store); return NULL; } And according to https://docs.openssl.org/3.0/man3/X509_STORE_add_cert/ : X509_STORE_load_locations_ex() combines X509_STORE_load_file_ex() and X509_STORE_load_path() for a given file and/or directory path. It is permitted to specify just a file, just a directory, or both paths. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/