1. 10 Feb, 2013 1 commit
    • Timothy B. Terriberry's avatar
      Support the Windows system certificate store. · c38dcfb3
      Timothy B. Terriberry authored
      OpenSSL on Windows does not pull certificates from any well-known
       location (in fact most binaries continue to use the default Unix
       path, which usually doesn't even exist).
      We could ship our own set of certificates (e.g., cloned from the
       Mozilla root list), but I don't want to be responsible for
       releasing libopusfile updates when things like DigiNotar
       fiasco [1] happen.
      That approach also means that we would need to load, parse, and
       keep a copy of every certificate in the system for every SSL
       session.
      
      OpenSSL has had patches sitting in their bugtracker which load
       certificates from the Crypto API's system certificate store.
      However, those patches have been sitting around for several years,
       so movement on that front in the near future seems unlikely.
      We don't care about using OpenSSL's builtin CAPI engine, though, so
       we can do the same thing with less than 200 lines of code.
      This puts the maintenance burden on Windows Update, which will be
       far more timely and effective than getting people to upgrade
       libopusfile, and gets us on-demand loading of just the
       certificates we need.
      
      [1] <https://bugzilla.mozilla.org/show_bug.cgi?id=682927>
      c38dcfb3