OK, what's the status on this ticket? [bodo - Tue Feb 4 17:30:23 2003]:
> Arne Ansper <[EMAIL PROTECTED]>: > > >> Like I say, they should only do this if there was an error reported, > surely? > > > No. Take a look at the SSL_CTX_use_certificate_chain_file: > > > > ret=SSL_CTX_use_certificate(ctx,x); > > if (ERR_peek_error() != 0) > > ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ > > Actually I think this is a bug in SSL_CTX_use_certificate() -- if it > intentionally ignores an error returned by X509_check_private_key(), > it should call ERR_clear_error(). > > The reason why I did not fix this when I looked at this some time ago > is some rather weird code in ssl_set_cert(), the function used by > SSL_CTX_use_certificate() from which X509_check_private_key() is > called. (If you look at ssl_set_cert(), you'll see that it switches > from SSL_PKEY_DH_RSA to SSKL_PKEY_DH_DSA and the other way around, > which does not appear to make much sense.) Investigating this has > been on my "to do" list for a while. Once this has been resolved, > the lines > > if (ERR_peek_error() != 0) > ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ > > can be removed from SSL_CTX_use_certificate_chain_file(). -- Richard Levitte [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]