Hi, I've created very small patch that uses default CApath ($OPENSSLDIR/certs/), it allows apps using OpenSSL and not allowing to specify CApath to function correctly. Most Linux distributions install certificates (for example root certificate for CACert) there.
Before patch: $ wget 'https://rudolf/' --21:09:01-- https://rudolf/ => `index.html' Resolving rudolf... 10.0.0.6 Connecting to rudolf|10.0.0.6|:443... connected. ERROR: Certificate verification error for rudolf: unable to get local issuer certificate To connect to rudolf insecurely, use `--no-check-certificate'. Unable to establish SSL connection. With patch applied: $ wget 'https://rudolf/' --21:08:24-- https://rudolf/ => `index.html' Resolving rudolf... 10.0.0.6 Connecting to rudolf|10.0.0.6|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 906 [text/html] 100%[=================================================>] 906 --.--K/s 21:08:24 (11.12 MB/s) - `index.html' saved [906/906] That server (Apache) has a certificate signed by CACert. Can it get included in next version of OpenSSL? -- Krzysztof Pawlik DBA - KP1365-RIPE tel./fax: (+48 12) 628-73-50 e-mail: [EMAIL PROTECTED]
diff -Nru --exclude='*.o' openssl-0.9.8e.vanilla/ssl/ssl_lib.c
openssl-0.9.8e/ssl/ssl_lib.c
--- openssl-0.9.8e.vanilla/ssl/ssl_lib.c 2007-09-18 10:56:56.000000000
+0200
+++ openssl-0.9.8e/ssl/ssl_lib.c 2007-09-18 11:43:37.000000000 +0200
@@ -128,6 +128,9 @@
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#define HEADER_CRYPTLIB_H
+#include <openssl/opensslconf.h>
+#undef HEADER_CRYPTLIB_H
const char *SSL_version_str=OPENSSL_VERSION_TEXT;
@@ -1453,6 +1456,8 @@
ret->extra_certs=NULL;
ret->comp_methods=SSL_COMP_get_compression_methods();
+ SSL_CTX_load_verify_locations(ret, NULL, OPENSSLDIR "/certs");
+
return(ret);
err:
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
signature.asc
Description: OpenPGP digital signature
