1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "X509_GET_DEFAULT_CERT_FILE 3SSL"
.TH X509_GET_DEFAULT_CERT_FILE 3SSL 2024-04-04 3.2.2-dev OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
X509_get_default_cert_file, X509_get_default_cert_file_env,
X509_get_default_cert_dir, X509_get_default_cert_dir_env \-
retrieve default locations for trusted CA certificates
.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& const char *X509_get_default_cert_file(void);
\& const char *X509_get_default_cert_dir(void);
\&
\& const char *X509_get_default_cert_file_env(void);
\& const char *X509_get_default_cert_dir_env(void);
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
The \fBX509_get_default_cert_file()\fR function returns the default path
to a file containing trusted CA certificates. OpenSSL will use this as
the default path when it is asked to load trusted CA certificates
from a file and no other path is specified. If the file exists, CA certificates
are loaded from the file.
.PP
The \fBX509_get_default_cert_dir()\fR function returns a default delimeter-separated
list of paths to a directories containing trusted CA certificates named in the
hashed format. OpenSSL will use this as the default list of paths when it is
asked to load trusted CA certificates from a directory and no other path is
specified. If a given directory in the list exists, OpenSSL attempts to lookup
CA certificates in this directory by calculating a filename based on a hash of
the certificate's subject name.
.PP
\&\fBX509_get_default_cert_file_env()\fR returns an environment variable name which is
recommended to specify a nondefault value to be used instead of the value
returned by \fBX509_get_default_cert_file()\fR. The value returned by the latter
function is not affected by these environment variables; you must check for this
environment variable yourself, using this function to retrieve the correct
environment variable name. If an environment variable is not set, the value
returned by the \fBX509_get_default_cert_file()\fR should be used.
.PP
\&\fBX509_get_default_cert_dir_env()\fR returns the environment variable name which is
recommended to specify a nondefault value to be used instead of the value
returned by \fBX509_get_default_cert_dir()\fR. The value specified by this environment
variable can also be a store URI (but see BUGS below).
.SH BUGS
.IX Header "BUGS"
By default (for example, when \fBX509_STORE_set_default_paths\fR\|(3) is used), the
environment variable name returned by \fBX509_get_default_cert_dir_env()\fR is
interpreted both as a delimiter-separated list of paths, and as a store URI.
This is ambiguous. For example, specifying a value of \fB"file:///etc/certs"\fR
would cause instantiation of the "file" store provided as part of the default
provider, but would also cause an \fBX509_LOOKUP_hash_dir\fR\|(3) instance to look
for certificates in the directory \fB"file"\fR (relative to the current working
directory) and the directory \fB"///etc/certs"\fR. This can be avoided by avoiding
use of the environment variable mechanism and using other methods to construct
X509_LOOKUP instances.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return pointers to constant strings with static storage
duration.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_LOOKUP\fR\|(3),
\&\fBSSL_CTX_set_default_verify_file\fR\|(3),
\&\fBSSL_CTX_set_default_verify_dir\fR\|(3),
\&\fBSSL_CTX_set_default_verify_store\fR\|(3),
\&\fBSSL_CTX_load_verify_file\fR\|(3),
\&\fBSSL_CTX_load_verify_dir\fR\|(3),
\&\fBSSL_CTX_load_verify_store\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
.SH COPYRIGHT
.IX Header "COPYRIGHT"
Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.
|
