- more documentation
- don't die if environment variable $HOME isn't defined but '-s'
parameter is used
- oidentd: change path, file is located in bipdir
In many cases, using OpenSSL's default certificate store is fine
and even preferred. If your OpenSSL provider (e.g. your
distribution) is competent, they will manage this database
better than you likely will. With this change, bip will
attempt to use the default certificate store if you set
CA mode but do not specify a certificate store location.
This could be refined to test after enabling the default paths
whether the certificate store is empty, and error/warn if
so.
The existing code only allows you to provide a set of trusted
CA certificates as an openssl 'CApath'-type directory. Fedora,
RHEL (and derived distros) and probably other distros provide
a system-wide database of trusted CA certs in various bundle
formats, but not as a CApath-type directory. This checks whether
check_store is a file or directory and loads it appropriately,
when initializing an SSL connection.
Note that there is code elsewhere which assumes the trust store
will be a file, but that code is hit only in CHECK_BASIC mode.
This change applies only to CHECK_CA mode.
