sure.. ok
On Mon, Jun 20, 2016 at 08:35:13AM -0500, Brent Cook wrote:
>
> This fixes a bug where the default certificate path locations would only
> be loaded if the CAfile or CApath locations were succesfully loaded
> first. Original patch from OpenSSL:
>
> https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
>
> Noted here on the LibreSSL-portable github tracker:
>
> https://github.com/libressl-portable/openbsd/issues/62
>
> ok?
>
> Index: s_client.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 s_client.c
> --- s_client.c1 Dec 2015 12:01:56 - 1.27
> +++ s_client.c20 Jun 2016 13:31:43 -
> @@ -728,15 +728,13 @@ bad:
> if (!set_cert_key_stuff(ctx, cert, key))
> goto end;
>
> - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
> - (!SSL_CTX_set_default_verify_paths(ctx))) {
> - /*
> - * BIO_printf(bio_err,"error setting default verify
> - * locations\n");
> - */
> + if ((CAfile || CApath)
> + && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
> ERR_print_errors(bio_err);
> - /* goto end; */
> - }
> +
> + if (!SSL_CTX_set_default_verify_paths(ctx))
> + ERR_print_errors(bio_err);
> +
> if (servername != NULL) {
> tlsextcbp.biodebug = bio_err;
> SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
>