sure.. ok
On Mon, Jun 20, 2016 at 08:35:13AM -0500, Brent Cook wrote: > > This fixes a bug where the default certificate path locations would only > be loaded if the CAfile or CApath locations were succesfully loaded > first. Original patch from OpenSSL: > > https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190 > > Noted here on the LibreSSL-portable github tracker: > > https://github.com/libressl-portable/openbsd/issues/62 > > ok? > > Index: s_client.c > =================================================================== > RCS file: /cvs/src/usr.bin/openssl/s_client.c,v > retrieving revision 1.27 > diff -u -p -r1.27 s_client.c > --- s_client.c 1 Dec 2015 12:01:56 -0000 1.27 > +++ s_client.c 20 Jun 2016 13:31:43 -0000 > @@ -728,15 +728,13 @@ bad: > if (!set_cert_key_stuff(ctx, cert, key)) > goto end; > > - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || > - (!SSL_CTX_set_default_verify_paths(ctx))) { > - /* > - * BIO_printf(bio_err,"error setting default verify > - * locations\n"); > - */ > + if ((CAfile || CApath) > + && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) > ERR_print_errors(bio_err); > - /* goto end; */ > - } > + > + if (!SSL_CTX_set_default_verify_paths(ctx)) > + ERR_print_errors(bio_err); > + > if (servername != NULL) { > tlsextcbp.biodebug = bio_err; > SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); >
