[openssl-users] [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Mar 1 17:44:18 UTC 2017
> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
>
> No, not that i know. But this -- thanks -- lead me to the
> following, which is the KISS that you want?
> Ciao!
>
> diff --git a/apps/apps.c b/apps/apps.c
> index 216bc797d..3afbbaef2 100644
> --- a/apps/apps.c
> +++ b/apps/apps.c
> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
> if (lookup == NULL)
> goto end;
> if (CApath) {
> - if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
> + if (!app_isdir(CApath) ||
> + !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
> BIO_printf(bio_err, "Error loading directory %s\n", CApath);
> goto end;
> }
We may need to be careful. With OpenSSL <= 1.0.2, one way to suppress the
built-in default CApath was to set "-CApath" to a non-existent directory.
Users may have scripts relying on this behaviour. Now with 1.1.0 on some
platforms OpenSSL already rejects non-existent directories, and we also
provide a "-no-CAfile" option, but this change will extend the change to
what is likely our most popular platform.
So it will at least deserve a comment in the "NEWS"/"CHANGES" files.
--
Viktor.
More information about the openssl-users
mailing list