After battling for a while why one could not configure more than one SSL
port in Squid when requesting client certificates it was found the culpit
is SSL_load_client_CA_file() which always leaves an error in the error
queue even if successful. This queued error then causes problems when
trying to load the certificate for the next SSL port etc..
OpenSSL versions tested:
0.9.7f-6 (Fedora Core development)
0.9.7a-35 (Fedora Core 2)
0.9.6-19 (RedHat Linux 7.1)
Trivial test program showing the error:
#include <openssl/ssl.h>
#include <openssl/err.h>
int
main(int argc, char **argv)
{
const char *ca;
STACK_OF(X509_NAME) * cert_names;
if (argc != 2) {
fprintf(stderr, "usage: %s ca.pem\n", argv[0]);
exit(1);
}
ca = argv[1];
SSL_load_error_strings();
SSL_library_init();
cert_names = SSL_load_client_CA_file(ca);
if (!cert_names) {
ERR_print_errors_fp(stderr);
exit(1);
}
printf("SSL_load_client_CA_file successful. Expeting empty error
queue:\n");
ERR_print_errors_fp(stderr);
printf("-- END --\n");
return 0;
}
Workaround:
call ERR_clear_error() after a successful call to
SSL_load_client_CA_file().
Regards
Henrik
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
