Re: [Nmh-workers] TLS certificate validation

[Ken Hornstein]

>I thought they all did.  On a couple of machines to hand.

Fair enough!  I mised those!  Although .... it's not clear to me at first
glance those work exactly with the OpenSSL library out of the box.  I mean,
there's a reason web browsers ship their own CA infrastructure; operating
systems don't traditionally do a good job.  And I just shudder when I
think about trying to tell people how to download a CA trust chain.  Sigh.

>I've lots under /etc/ssl/certs.  Something under
>/usr/share/ca-certificates.  And things like wget(1) have a bunch of
>--certificate-* options and talk of "the file name is based on a hash
>value derived from the certificate" and "system-specified locations,
>chosen at OpenSSL installation time".

Right, it's talking about directories created with c_rehash.  I almost
think we'd need to configure that stuff somehow.

--Ken