Thanks for forwarding this, Salvatore-- On 12/06/2010 01:55 AM, Salvatore Bonaccorso wrote: > Of the two patches, i prefer no-default-ca-certs.patch. > > The documentation makes references to ca/ and certs/my-ca.pem -- if > these are actually used by the tool, then no-default-ca-certs.patch is > definitely the way to go.
Hrm, as i look at it further, i'm not entirely sure that
no-default-ca-certs operates as expected with users who relying on the
defaults of ca/ or certs/my-ca.pem.
I do think that IO::Socket::SSL needs to fail *closed* though, and not
revert to accepting unverified connections in the event that the user
forgets to specify CAs (or fails to correctly populate the default
locations).
--dkg
signature.asc
Description: OpenPGP digital signature
