Quoting Rick Macklem <rmacklem_at_uoguelph.ca> (from Sun, 15 Mar 2020 23:27:58 +0000): > As such, it stills seems to be a bit of a mystery to me, but it > seems that putting > all the certificates in a CAfile and not using a CApath directory is > the simpler > way to go. If you have multiple CAs in the file, the code needs to search for one which matches. If you use the path, the code just needs to list the directory and check the filename which matches the id of the CA-cert. On a recent -current system have where you've never run "certctl rehash" have a look into /etc/ssl/certs, then run "certctl rehash", and then check /etc/ssl/certs again to see what I mean. For a program which communicates with a lot of different systems which use different CAs (mailserver, browser), the path makes sense. For a NFS server I wouldn't configure all the Mozilla-accepted CAs. As such a CAfile may be enough, but having the possibility for both allows the user to chose which way he wants to configure his system (e.g. maybe he has just one CA in a directory, but for consistency reasons he prefers to specify the path to be able to use one way to configure things). You can do it either way, technically it doesn't matter. It makes sense to have both possibilities (that would be my preference, to give the user the choice which way he wants to handle it). Having only the file-way would not be stupid (as you can see with wpa and unbound, which are used in a similar way in this regard than one would use NFS). Only the path-way would be less favorable in my opinion. > I haven't yet decided whether or not I'll specify a command option > for setting > CApath. Sendmail does. wpa and unboud don't? Sendmail needs to use more than one CA if it wants to validate connections from anyone, and it wants to do it in a performant way. WIFI and DNS typically only need one CA. Bye, Alexander. -- http://www.Leidinger.net Alexander_at_Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild_at_FreeBSD.org : PGP 0x8F31830F9F2772BF
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC