Skip to content
Snippets Groups Projects
Forked from Xiph.Org / Opusfile
340 commits behind, 11 commits ahead of the upstream repository.
Timothy B. Terriberry's avatar
Timothy B. Terriberry authored
OpenSSL on Windows does not pull certificates from any well-known
 location (in fact most binaries continue to use the default Unix
 path, which usually doesn't even exist).
We could ship our own set of certificates (e.g., cloned from the
 Mozilla root list), but I don't want to be responsible for
 releasing libopusfile updates when things like DigiNotar
 fiasco [1] happen.
That approach also means that we would need to load, parse, and
 keep a copy of every certificate in the system for every SSL
 session.

OpenSSL has had patches sitting in their bugtracker which load
 certificates from the Crypto API's system certificate store.
However, those patches have been sitting around for several years,
 so movement on that front in the near future seems unlikely.
We don't care about using OpenSSL's builtin CAPI engine, though, so
 we can do the same thing with less than 200 lines of code.
This puts the maintenance burden on Windows Update, which will be
 far more timely and effective than getting people to upgrade
 libopusfile, and gets us on-demand loading of just the
 certificates we need.

[1] <https://bugzilla.mozilla.org/show_bug.cgi?id=682927>
c38dcfb3
History