Ludwig Nussel wrote:
> if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
> (!SSL_CTX_set_default_verify_paths(ctx)))
> {
> /* BIO_printf(bio_err,"error setting default verify locations\n"); */
> ERR_print_errors(bio_err);
> /* goto end; */
> }
>
> SSL_CTX_load_verify_locations() returns zero on failure or if both
> arguments are NULL. Therefore SSL_CTX_set_default_verify_paths()
> actually only gets called if SSL_CTX_load_verify_locations()
> succeeds which doesn't make much sense.
Here's a patch for that:
Index: apps/s_client.c
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v
retrieving revision 1.130
diff -u -r1.130 s_client.c
--- apps/s_client.c 16 Dec 2009 20:25:58 -0000 1.130
+++ apps/s_client.c 26 Feb 2010 14:20:09 -0000
@@ -904,12 +904,19 @@
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx)))
+ if (CAfile || CApath)
{
- /* BIO_printf(bio_err,"error setting default verify
locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+ {
+ BIO_printf(bio_err,"error setting verify locations\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ else
+ {
+ BIO_printf(bio_c_out,"using default CA certificates\n");
+ SSL_CTX_set_default_verify_paths(ctx);
}
#ifndef OPENSSL_NO_TLSEXT
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
