Following command always fails. I believe the behaviour is not what we want. I attached a patch against s_client, s_server and s_time. Other commands might also be suffered from the safe problem.
openssl s_client -verify 0 -connect somewhere
diff -Nru openssl-SNAP-20040330.orig/apps/s_client.c openssl-SNAP-20040330/apps/s_client.c --- openssl-SNAP-20040330.orig/apps/s_client.c Fri Nov 28 23:00:09 2003 +++ openssl-SNAP-20040330/apps/s_client.c Tue Mar 30 19:22:45 2004 @@ -502,7 +502,8 @@ if (!set_cert_stuff(ctx,cert_file,key_file)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || + if ((!(CAfile == NULL && CApath == NULL) && + !SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,"error setting default verify locations\n"); */ diff -Nru openssl-SNAP-20040330.orig/apps/s_server.c openssl-SNAP-20040330/apps/s_server.c --- openssl-SNAP-20040330.orig/apps/s_server.c Fri Nov 28 23:00:09 2003 +++ openssl-SNAP-20040330/apps/s_server.c Tue Mar 30 19:23:13 2004 @@ -814,7 +814,8 @@ } #endif - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || + if ((!(CAfile == NULL && CApath == NULL) && + !SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ diff -Nru openssl-SNAP-20040330.orig/apps/s_time.c openssl-SNAP-20040330/apps/s_time.c --- openssl-SNAP-20040330.orig/apps/s_time.c Sun Dec 28 00:00:40 2003 +++ openssl-SNAP-20040330/apps/s_time.c Tue Mar 30 19:22:14 2004 @@ -476,7 +476,8 @@ SSL_load_error_strings(); - if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || + if ((!(CAfile == NULL && CApath == NULL) && + !SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(tm_ctx))) { /* BIO_printf(bio_err,"error setting default verify locations\n"); */