Hi, > The fix is to change || in the above code to &&. Then, the > command-line parameters are used to set the certificate path, and if > that fails, the defaults are used instead. This then gives the
while the behaviour with your patch is a lot saner than without it, I would argue that it's still broken, as it exhibits fail-open behaviour: SSL_CTX_load_verify_locations() probably can fail for reasons other than !(CAfile||CApath), and it's unlikely that the user meant "this CA, or any other if loading this one fails for whatever reason". (Arguably, SSL_CTX_load_verify_locations() is actually broken in that it returns failure for an empty set of CAs, as it's logically perfectly consistent to authenticate against a deny-all policy.) Florian ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
