Hi, > So in that case it should try only the user's option if the user gave a > -CApath or -CAfile, and otherwise the default option?
well, I am not an OpenSSL dev, but that's the behaviour I would consider correct, yeah. > The suggestion above has the advantage that it does not require > SSL_CTX_load_verify_locations to be changed (as its behavior of failing > when CApath and CAfile are both NULL is documented). However, if it were > changed, then the code above would still work. Yeah, I didn't mean to imply that SSL_CTX_load_verify_locations() should be changed, for the reason you mention, just pointing out that the behaviour doesn't really make sense ... > The correct behavior is, as I hope I've made clear, outside my competence > to decide, but I'm quite happy to work up an acceptable patch if guided as > to what exactly it should implement. Thanks for the work, that bug did have me scratch my head a while ago (I used socat instead then, they manage to get it right), it wouldn't hurt to get that fixed ... Florian ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
