Arne Ansper <[EMAIL PROTECTED]>: >> Like I say, they should only do this if there was an error reported, surely?
> No. Take a look at the SSL_CTX_use_certificate_chain_file: > > ret=SSL_CTX_use_certificate(ctx,x); > if (ERR_peek_error() != 0) > ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ Actually I think this is a bug in SSL_CTX_use_certificate() -- if it intentionally ignores an error returned by X509_check_private_key(), it should call ERR_clear_error(). The reason why I did not fix this when I looked at this some time ago is some rather weird code in ssl_set_cert(), the function used by SSL_CTX_use_certificate() from which X509_check_private_key() is called. (If you look at ssl_set_cert(), you'll see that it switches from SSL_PKEY_DH_RSA to SSKL_PKEY_DH_DSA and the other way around, which does not appear to make much sense.) Investigating this has been on my "to do" list for a while. Once this has been resolved, the lines if (ERR_peek_error() != 0) ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ can be removed from SSL_CTX_use_certificate_chain_file(). -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]