[gnutls-devel] GnuTLS | Supporting SSL_CERT_DIR and SSL_CERT_FILE (#1279)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Oct 11 11:47:56 CEST 2021

Roel Janssen created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1279

## Description of the feature:

I want to propose implementing a feature that enables a user to choose a trust store at run-time. This feature would work exactly as it works in OpenSSL:

> SSL_CTX_set_default_verify_paths() specifies that the default locations from which CA certificates are loaded should be used. There is one default directory, one default file and one default store. The default CA certificates directory is called certs in the default OpenSSL directory, and this is also the default store. Alternatively the SSL_CERT_DIR environment variable can be defined to override this location. The default CA certificates file is called cert.pem in the default OpenSSL directory. Alternatively the SSL_CERT_FILE environment variable can be defined to override this location.

This manual page describes being able to overwrite the default CA certificates by specifying alternatives using either `SSL_CERT_DIR` or `SSL_CERT_FILE`.

## Applications that this feature may be relevant to:

See a related discussion here:

## Is this feature implemented in other libraries (and which)

Yes, in OpenSSL. See:

## Guidance

If the feature request seems fine, but nobody can work on it, I would like to give it a try. If there are any perspectives that come to mind that I have to take into account while implementing this feature, please write them here. :)

Thank you!

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1279
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20211011/6418569f/attachment.html>

More information about the Gnutls-devel mailing list