Comment 12 for bug 551811

buzzdee (sebastia) wrote :

It seems just creating a directory and putting *.pem files into it will not be enough.

The certificates need to have a specific file name to be able for tcltls to use the certificates in the specified directory to pick them up for verification.

See:
http://sourceforge.net/tracker/index.php?func=detail&aid=2953768&group_id=13248&atid=113248

and:
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

when the user wants to add own certificate he has to run the c_rehash command.

For users without openssl installed, especially on Windows, this may be much more complicated than just opening a text editor to add their custom *pem file from the server.

Sander, what do you think about that, I'd say we should stick to the cafile stuff instead of using a directory.