Skip to content
  • Timothy B. Terriberry's avatar
    Support the Windows system certificate store. · c38dcfb3
    Timothy B. Terriberry authored
    OpenSSL on Windows does not pull certificates from any well-known
     location (in fact most binaries continue to use the default Unix
     path, which usually doesn't even exist).
    We could ship our own set of certificates (e.g., cloned from the
     Mozilla root list), but I don't want to be responsible for
     releasing libopusfile updates when things like DigiNotar
     fiasco [1] happen.
    That approach also means that we would need to load, parse, and
     keep a copy of every certificate in the system for every SSL
     session.
    
    OpenSSL has had patches sitting in their bugtracker which load
     certificates from the Crypto API's system certificate store.
    However, those patches have been sitting around for several years,
     so movement on that front in the near future seems unlikely.
    We don't care about using OpenSSL's builtin CAPI engine, though, so
     we can do the same thing with less than 200 lines of code.
    This puts the maintenance burden on Windows Update, which will be
     far more timely and effective than getting people to upgrade
     libopusfile, and gets us on-demand loading of just the
     certificates we need.
    
    [1] <https://bugzilla.mozilla.org/show_bug.cgi?id=682927>
    c38dcfb3