Hello again, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: |> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <stef...@sdaoden.eu> wrote: |> No, not that i know. But this -- thanks -- lead me to the |> following, which is the KISS that you want? ... |> diff --git a/apps/apps.c b/apps/apps.c |> index 216bc797d..3afbbaef2 100644 |> --- a/apps/apps.c |> +++ b/apps/apps.c |> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, \ |> const char *CApath, int noCAfile, i |> if (lookup == NULL) |> goto end; |> if (CApath) { |> - if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))\ |> { |> + if (!app_isdir(CApath) || |> + !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_P\ |> EM)) { |> BIO_printf(bio_err, "Error loading directory %s\n", \ |> CApath); |> goto end; |>} | |We may need to be careful. With OpenSSL <= 1.0.2, one way to suppress the |built-in default CApath was to set "-CApath" to a non-existent directory. |Users may have scripts relying on this behaviour. Now with 1.1.0 on some |platforms OpenSSL already rejects non-existent directories, and we also |provide a "-no-CAfile" option, but this change will extend the change to |what is likely our most popular platform. | |So it will at least deserve a comment in the "NEWS"/"CHANGES" files.
I understand that this is a "lingering" configuration, which is inspected on the fly as a last (or second last, if there is SSL_CTX_set_default_verify_paths(3). In fact i don't know, the documentation is horrific! E.g., just today i have implemented some *{smime,ssl}-ca-flags*, mostly to be able to provide X509_V_FLAG_PARTIAL_CHAIN, but you know you can't find just any X509_STORE_set_flags(_not_ 3) at all, it is, again, _horrific_. I for one, as someone unrelated, now that you have so many sponsors, i really wonder why you don't spend a little bit of money to some crypto nerd student(s) who really need(s) it in order to improve it. Really, and honestly.) resort. But for an application that does a one-shot check i would at least expect a message that leads into the right direction, at least with -verbose. I for one _of course_ looked for X509_LOOKUP_add_dir() first, but i gave up after the second indirection. If you would ask me, i surely would add a X509_FILETYPE_CHECK_OR_ERROR or similar flag to get the synchronous checks. But who am i. --steffen -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev