From 606e0426a148034c8c131de9f31f7d3e38be99ea Mon Sep 17 00:00:00 2001 From: Hugo Landau Date: Fri, 8 Apr 2022 13:20:44 +0100 Subject: Add support for loading root CAs from Windows crypto API Fixes #18020. Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18070) --- CHANGES.md | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'CHANGES.md') diff --git a/CHANGES.md b/CHANGES.md index 5a5bc9d91f..9bc1a91c94 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -179,12 +179,24 @@ OpenSSL 3.1 *Hugo Landau* - * The `SSL_CERT_URI` environment variable has been added, which can be used - to specify a default URI for certificate stores. Previously, the - `SSL_CERT_DIR` environment variable was used for this purpose, and could - accept either a URI or a delimiter-separated list of paths. This usage is now - deprecated; to specify a delimiter-separated list of paths, use - `SSL_CERT_DIR`, and to specify a URI, use `SSL_CERT_URI`. + * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced. + `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The + `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of + paths which are searched for root certificates. + + The existing `SSL_CERT_DIR` environment variable is deprecated. + `SSL_CERT_DIR` was previously used to specify either a delimiter-separated + list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes + `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate + directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored + for the purposes of determining root certificate stores. + + *Hugo Landau* + + * Support for loading root certificates from the Windows certificate store + has been added. The support is in the form of a store which recognises the + URI string of `org.openssl.winstore://`. This store is enabled by default and + can be disabled using the new compile-time option `no-winstore`. *Hugo Landau* -- cgit v1.2.3