[EXT] Re: Trouble with OCSP

[Brian Julin]

Orion Poplawski <orion at nwra.com>
> It appears that if ca_file is specified, ca_path is not used.  It
> doesn't seem like this is explicitly stated in the docs.  Is this expected?

That's the general behavior of most applications that directly use OpenSSL libraries, at least the ones I have seen.  It's usually file of path, one or the other, not both.

The behavior like comes from OpenSSL API, so it would have seemed obvious to someone who uses that library often when they were writing the docs, but yes it might be useful to elaborate in the documentation, and maybe a link to some generic OpenSSL-hosted source that explains their basic PKI directory schemes.

(There are some rather complex systems for managing certificate preferences on multi-user/multi-security-level systems that use a systemd-like directory labyrinth... I mean... structure of overrides and such, just be glad we don't use those :-) )