[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri Sep 25 13:53:45 UTC 2015


The branch master has been updated
       via  349b3107428d393580d9261f29afe8c700797b76 (commit)
       via  40e2d76becd095c7cb2749ee1b33a7a336c8c17d (commit)
       via  2b6bcb702d237171ec5217956a42c8dce031ea51 (commit)
       via  631fb6af5f404e4f8b4ae33f3ffdcec81b9df19a (commit)
       via  d84a7b20e3ce61fc8eb4ea74b62579c803e0772f (commit)
      from  a93d3e06a9849deeceadf1b51c10492ae77c43eb (commit)


- Log -----------------------------------------------------------------
commit 349b3107428d393580d9261f29afe8c700797b76
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Sep 22 16:02:50 2015 +0100

    Fix the OCSP test on Windows
    
    The windows test uses the pseudo file "nul" to indicate no file for the
    -CApath option. This does not work on all versions of Windows. Instead use
    the new -no-CApath option.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit 40e2d76becd095c7cb2749ee1b33a7a336c8c17d
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Sep 22 19:43:59 2015 +0100

    Document -no-CApath and -no-CAfile
    
    Add documentation to all the appropriate apps for the new -no-CApath and
    -no-CAfile options.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit 2b6bcb702d237171ec5217956a42c8dce031ea51
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Sep 22 16:00:52 2015 +0100

    Add support for -no-CApath and -no-CAfile options
    
    For those command line options that take the verification options
    -CApath and -CAfile, if those options are absent then the default path or
    file is used instead. It is not currently possible to specify *no* path or
    file at all. This change adds the options -no-CApath and -no-CAfile to
    specify that the default locations should not be used to all relevant
    applications.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit 631fb6af5f404e4f8b4ae33f3ffdcec81b9df19a
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Sep 22 17:05:17 2015 +0100

    Document the default CA path functions
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit d84a7b20e3ce61fc8eb4ea74b62579c803e0772f
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Sep 22 16:50:32 2015 +0100

    Add ability to set default CA path and file locations individually
    
    Previously you could only set both the default path and file locations
    together. This adds the ability to set one without the other.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c                               | 57 ++++++++++++++++++-------------
 apps/apps.h                               |  7 ++--
 apps/cms.c                                | 19 ++++++++---
 apps/crl.c                                | 18 +++++++---
 apps/ocsp.c                               | 15 ++++++--
 apps/pkcs12.c                             | 16 +++++++--
 apps/s_client.c                           | 17 +++++++--
 apps/s_server.c                           | 29 +++++++++++-----
 apps/s_time.c                             | 17 +++++++--
 apps/smime.c                              | 16 +++++++--
 apps/verify.c                             | 17 +++++++--
 doc/apps/cms.pod                          | 10 ++++++
 doc/apps/ocsp.pod                         | 10 ++++++
 doc/apps/pkcs12.pod                       | 10 ++++++
 doc/apps/s_client.pod                     | 10 ++++++
 doc/apps/s_server.pod                     | 10 ++++++
 doc/apps/s_time.pod                       | 10 ++++++
 doc/apps/smime.pod                        | 10 ++++++
 doc/apps/verify.pod                       | 10 ++++++
 doc/ssl/SSL_CTX_load_verify_locations.pod | 24 ++++++++++++-
 doc/ssl/ssl.pod                           | 11 ++++++
 include/openssl/ssl.h                     |  2 ++
 ssl/ssl_lib.c                             | 31 +++++++++++++++++
 test/recipes/80-test_ocsp.t               |  2 +-
 util/ssleay.num                           |  2 ++
 25 files changed, 320 insertions(+), 60 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 5b6a605..39ca963 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -227,11 +227,17 @@ int app_init(long mesgwin)
 }
 #endif
 
-int ctx_set_verify_locations(SSL_CTX *ctx,
-                             const char *CAfile, const char *CApath)
+int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                             const char *CApath, int noCAfile, int noCApath)
 {
-    if (CAfile == NULL && CApath == NULL)
-        return SSL_CTX_set_default_verify_paths(ctx);
+    if (CAfile == NULL && CApath == NULL) {
+        if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0)
+            return 0;
+        if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0)
+            return 0;
+
+        return 1;
+    }
     return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
 }
 
@@ -1244,34 +1250,39 @@ void print_array(BIO *out, const char* title, int len, const unsigned char* d)
     BIO_printf(out, "\n};\n");
 }
 
-X509_STORE *setup_verify(char *CAfile, char *CApath)
+X509_STORE *setup_verify(char *CAfile, char *CApath, int noCAfile, int noCApath)
 {
     X509_STORE *store = X509_STORE_new();
     X509_LOOKUP *lookup;
 
     if (!store)
         goto end;
-    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
-    if (lookup == NULL)
-        goto end;
-    if (CAfile) {
-        if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
-            BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+
+    if(CAfile != NULL || !noCAfile) {
+        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+        if (lookup == NULL)
             goto end;
-        }
-    } else
-        X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+        if (CAfile) {
+            if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
+                BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+                goto end;
+            }
+        } else
+            X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+    }
 
-    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
-    if (lookup == NULL)
-        goto end;
-    if (CApath) {
-        if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
-            BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+    if(CApath != NULL || !noCApath) {
+        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+        if (lookup == NULL)
             goto end;
-        }
-    } else
-        X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+        if (CApath) {
+            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
+                BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+                goto end;
+            }
+        } else
+            X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+    }
 
     ERR_clear_error();
     return store;
diff --git a/apps/apps.h b/apps/apps.h
index 2d198a1..185ac24 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -442,9 +442,10 @@ STACK_OF(X509) *load_certs(const char *file, int format,
 STACK_OF(X509_CRL) *load_crls(const char *file, int format,
                               const char *pass, ENGINE *e,
                               const char *cert_descrip);
-X509_STORE *setup_verify(char *CAfile, char *CApath);
-int ctx_set_verify_locations(SSL_CTX *ctx,
-                             const char *CAfile, const char *CApath);
+X509_STORE *setup_verify(char *CAfile, char *CApath,
+                         int noCAfile, int noCApath);
+int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                             const char *CApath, int noCAfile, int noCApath);
 # ifdef OPENSSL_NO_ENGINE
 #  define setup_engine(engine, debug) NULL
 # else
diff --git a/apps/cms.c b/apps/cms.c
index ae47341..6ed9338 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -118,9 +118,9 @@ typedef enum OPTION_choice {
     OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
     OPT_NOINDEF, OPT_NOOLDMIME, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
     OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
-    OPT_CAPATH, OPT_CONTENT, OPT_PRINT, OPT_SECRETKEY,
-    OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, OPT_RAND,
-    OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
+    OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
+    OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
+    OPT_RAND, OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
     OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
     OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
     OPT_3DES_WRAP, OPT_ENGINE,
@@ -185,6 +185,10 @@ OPTIONS cms_options[] = {
     {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
     {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
     {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"content", OPT_CONTENT, '<',
      "Supply or override content for detached signature"},
     {"print", OPT_PRINT, '-'},
@@ -242,6 +246,7 @@ int cms_main(int argc, char **argv)
     X509_VERIFY_PARAM *vpm = NULL;
     char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
     char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL;
+    int noCAfile = 0, noCApath = 0;
     char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL;
     char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile =
         NULL;
@@ -422,6 +427,12 @@ int cms_main(int argc, char **argv)
         case OPT_CAPATH:
             CApath = opt_arg();
             break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
         case OPT_IN:
             infile = opt_arg();
             break;
@@ -834,7 +845,7 @@ int cms_main(int argc, char **argv)
         goto end;
 
     if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
-        if ((store = setup_verify(CAfile, CApath)) == NULL)
+        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
             goto end;
         X509_STORE_set_verify_cb(store, cms_cb);
         if (vpmtouched)
diff --git a/apps/crl.c b/apps/crl.c
index 735c8c0..253f7a5 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -70,8 +70,8 @@ typedef enum OPTION_choice {
     OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
     OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
     OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
-    OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD, OPT_NOOUT,
-    OPT_NAMEOPT, OPT_MD
+    OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
+    OPT_NOOUT, OPT_NAMEOPT, OPT_MD
 } OPTION_CHOICE;
 
 OPTIONS crl_options[] = {
@@ -92,6 +92,10 @@ OPTIONS crl_options[] = {
     {"gendelta", OPT_GENDELTA, '<'},
     {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
     {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"verify", OPT_VERIFY, '-'},
     {"text", OPT_TEXT, '-', "Print out a text format version"},
     {"hash", OPT_HASH, '-', "Print hash value"},
@@ -121,7 +125,7 @@ int crl_main(int argc, char **argv)
     int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
     int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
-    int text = 0, do_ver = 0;
+    int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
     int i;
 #ifndef OPENSSL_NO_MD5
     int hash_old = 0;
@@ -171,6 +175,12 @@ int crl_main(int argc, char **argv)
             CAfile = opt_arg();
             do_ver = 1;
             break;
+        case OPT_NOCAPATH:
+            noCApath =  1;
+            break;
+        case OPT_NOCAFILE:
+            noCAfile =  1;
+            break;
         case OPT_HASH_OLD:
 #ifndef OPENSSL_NO_MD5
             hash_old = ++num;
@@ -230,7 +240,7 @@ int crl_main(int argc, char **argv)
         goto end;
 
     if (do_ver) {
-        if ((store = setup_verify(CAfile, CApath)) == NULL)
+        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
             goto end;
         lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
         if (lookup == NULL)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index e97d06e..960b776 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -131,7 +131,7 @@ typedef enum OPTION_choice {
     OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
     OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
     OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
-    OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH,
+    OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH,
     OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
     OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
     OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
@@ -183,6 +183,10 @@ OPTIONS ocsp_options[] = {
      "Additional certificates to search for signer"},
     {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
     {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"validity_period", OPT_VALIDITY_PERIOD, 'u',
      "Maximum validity discrepancy in seconds"},
     {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
@@ -236,6 +240,7 @@ int ocsp_main(int argc, char **argv)
     char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
     char *signfile = NULL, *keyfile = NULL;
     char *thost = NULL, *tport = NULL, *tpath = NULL;
+    int noCAfile = 0, noCApath = 0;
     int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
     int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
     int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1;
@@ -369,6 +374,12 @@ int ocsp_main(int argc, char **argv)
         case OPT_CAPATH:
             CApath = opt_arg();
             break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
         case OPT_V_CASES:
             if (!opt_verify(o, vpm))
                 goto end;
@@ -685,7 +696,7 @@ int ocsp_main(int argc, char **argv)
     }
 
     if (!store) {
-        store = setup_verify(CAfile, CApath);
+        store = setup_verify(CAfile, CApath, noCAfile, noCApath);
         if (!store)
             goto end;
     }
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 2e74cd4..e1f663a 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -98,7 +98,7 @@ typedef enum OPTION_choice {
     OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
     OPT_RAND, OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
     OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
-    OPT_CAFILE, OPT_ENGINE
+    OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_ENGINE
 } OPTION_CHOICE;
 
 OPTIONS pkcs12_options[] = {
@@ -149,6 +149,10 @@ OPTIONS pkcs12_options[] = {
     {"password", OPT_PASSWORD, 's', "Set import/export password source"},
     {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
     {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -174,6 +178,7 @@ int pkcs12_main(int argc, char **argv)
     char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL;
     char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL;
     char *prog;
+    int noCApath = 0, noCAfile = 0;
     ENGINE *e = NULL;
     BIO *in = NULL, *out = NULL;
     PKCS12 *p12 = NULL;
@@ -307,6 +312,12 @@ int pkcs12_main(int argc, char **argv)
         case OPT_CAFILE:
             CAfile = opt_arg();
             break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
         case OPT_ENGINE:
             e = setup_engine(opt_arg(), 0);
             break;
@@ -430,7 +441,8 @@ int pkcs12_main(int argc, char **argv)
             int vret;
             STACK_OF(X509) *chain2;
             X509_STORE *store;
-            if ((store = setup_verify(CAfile, CApath)) == NULL)
+            if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath))
+                    == NULL)
                 goto export_end;
 
             vret = get_cert_chain(ucert, store, &chain2);
diff --git a/apps/s_client.c b/apps/s_client.c
index 65e3bb8..e990a43 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -466,8 +466,8 @@ typedef enum OPTION_choice {
     OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3,
     OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
-    OPT_CERT_CHAIN, OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
-    OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE,
+    OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
+    OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
     OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
     OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE,
     OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
@@ -495,6 +495,10 @@ OPTIONS s_client_options[] = {
     {"pass", OPT_PASS, 's', "Private key file pass phrase source"},
     {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
     {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"reconnect", OPT_RECONNECT, '-',
      "Drop and re-make the connection with the same Session-ID"},
     {"pause", OPT_PAUSE, '-', "Sleep  after each read and write system call"},
@@ -651,6 +655,7 @@ int s_client_main(int argc, char **argv)
     struct sockaddr peer;
     struct timeval timeout, *timeoutp;
     fd_set readfds, writefds;
+    int noCApath = 0, noCAfile = 0;
     int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
     int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
     int prexit = 0;
@@ -991,6 +996,9 @@ int s_client_main(int argc, char **argv)
         case OPT_CAPATH:
             CApath = opt_arg();
             break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
         case OPT_CHAINCAPATH:
             chCApath = opt_arg();
             break;
@@ -1003,6 +1011,9 @@ int s_client_main(int argc, char **argv)
         case OPT_CAFILE:
             CAfile = opt_arg();
             break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
         case OPT_CHAINCAFILE:
             chCAfile = opt_arg();
             break;
@@ -1267,7 +1278,7 @@ int s_client_main(int argc, char **argv)
 
     SSL_CTX_set_verify(ctx, verify, verify_callback);
 
-    if (!ctx_set_verify_locations(ctx, CAfile, CApath)) {
+    if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
         ERR_print_errors(bio_err);
         goto end;
     }
diff --git a/apps/s_server.c b/apps/s_server.c
index ec73964..9ce1416 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -796,14 +796,14 @@ typedef enum OPTION_choice {
     OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
     OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
     OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
-    OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
+    OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
     OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
-    OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
-    OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG,
-    OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT,
-    OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG,
-    OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, OPT_QUIET,
-    OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
+    OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
+    OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
+    OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
+    OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE,
+    OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF,
+    OPT_QUIET, OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
     OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP,
     OPT_SSL3,
@@ -854,8 +854,12 @@ OPTIONS s_server_options[] = {
     {"msg", OPT_MSG, '-', "Show protocol messages"},
     {"msgfile", OPT_MSGFILE, '>'},
     {"state", OPT_STATE, '-', "Print the SSL states"},
-    {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
     {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
+    {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
     {"quiet", OPT_QUIET, '-', "No server output"},
     {"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"},
@@ -996,6 +1000,7 @@ int s_server_main(int argc, char *argv[])
     int no_dhe = 0;
 #endif
     int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0, ret = 1;
+    int noCApath = 0, noCAfile = 0;
     int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
     int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
     int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM;
@@ -1158,6 +1163,9 @@ int s_server_main(int argc, char *argv[])
         case OPT_CAPATH:
             CApath = opt_arg();
             break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
         case OPT_CHAINCAPATH:
             chCApath = opt_arg();
             break;
@@ -1205,6 +1213,9 @@ int s_server_main(int argc, char *argv[])
         case OPT_CAFILE:
             CAfile = opt_arg();
             break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
         case OPT_CHAINCAFILE:
             chCAfile = opt_arg();
             break;
@@ -1657,7 +1668,7 @@ int s_server_main(int argc, char *argv[])
     }
 #endif
 
-    if (!ctx_set_verify_locations(ctx, CAfile, CApath)) {
+    if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
         ERR_print_errors(bio_err);
         goto end;
     }
diff --git a/apps/s_time.c b/apps/s_time.c
index ef95b5a..91d28c2 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -113,8 +113,8 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx);
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH,
-    OPT_CAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME,
-    OPT_SSL3,
+    OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS,
+    OPT_VERIFY, OPT_TIME, OPT_SSL3,
     OPT_WWW
 } OPTION_CHOICE;
 
@@ -127,6 +127,10 @@ OPTIONS s_time_options[] = {
     {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
     {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
     {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"new", OPT_NEW, '-', "Just time new connections"},
     {"reuse", OPT_REUSE, '-', "Just time connection reuse"},
     {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
@@ -157,6 +161,7 @@ int s_time_main(int argc, char **argv)
     char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL;
     char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
     double totalTime = 0.0;
+    int noCApath = 0, noCAfile = 0;
     int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs =
         0, ver;
     long bytes_read = 0, finishtime = 0;
@@ -208,6 +213,12 @@ int s_time_main(int argc, char **argv)
         case OPT_CAFILE:
             CAfile = opt_arg();
             break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
         case OPT_CIPHER:
             cipher = opt_arg();
             break;
@@ -254,7 +265,7 @@ int s_time_main(int argc, char **argv)
     if (!set_cert_stuff(ctx, certfile, keyfile))
         goto end;
 
-    if (!ctx_set_verify_locations(ctx, CAfile, CApath)) {
+    if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
         ERR_print_errors(bio_err);
         goto end;
     }
diff --git a/apps/smime.c b/apps/smime.c
index 4da56cd..db645d0 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -90,7 +90,8 @@ typedef enum OPTION_choice {
     OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
     OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
     OPT_V_ENUM,
-    OPT_CAPATH, OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTFORM, OPT_CONTENT
+    OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_IN, OPT_INFORM, OPT_OUT,
+    OPT_OUTFORM, OPT_CONTENT
 } OPTION_CHOICE;
 
 OPTIONS smime_options[] = {
@@ -132,6 +133,10 @@ OPTIONS smime_options[] = {
     {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
     {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
     {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"resign", OPT_RESIGN, '-'},
     {"nochain", OPT_NOCHAIN, '-'},
     {"nosmimecap", OPT_NOSMIMECAP, '-'},
@@ -171,6 +176,7 @@ int smime_main(int argc, char **argv)
     char *passinarg = NULL, *passin = NULL, *to = NULL, *from =
         NULL, *subject = NULL;
     OPTION_CHOICE o;
+    int noCApath = 0, noCAfile = 0;
     int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef =
         0;
     int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
@@ -348,6 +354,12 @@ int smime_main(int argc, char **argv)
         case OPT_CAPATH:
             CApath = opt_arg();
             break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
         case OPT_CONTENT:
             contfile = opt_arg();
             break;
@@ -523,7 +535,7 @@ int smime_main(int argc, char **argv)
         goto end;
 
     if (operation == SMIME_VERIFY) {
-        if ((store = setup_verify(CAfile, CApath)) == NULL)
+        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
             goto end;
         X509_STORE_set_verify_cb(store, smime_cb);
         if (vpmtouched)
diff --git a/apps/verify.c b/apps/verify.c
index ce0ad24..61f8cf7 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -73,8 +73,8 @@ static int v_verbose = 0, vflags = 0;
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED, OPT_TRUSTED,
-    OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
+    OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,
+    OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
     OPT_V_ENUM,
     OPT_VERBOSE
 } OPTION_CHOICE;
@@ -87,6 +87,10 @@ OPTIONS verify_options[] = {
         "Print extra information about the operations being performed."},
     {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
     {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
     {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
     {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
     {"CRLfile", OPT_CRLFILE, '<',
@@ -110,6 +114,7 @@ int verify_main(int argc, char **argv)
     X509_STORE *store = NULL;
     X509_VERIFY_PARAM *vpm = NULL;
     char *prog, *CApath = NULL, *CAfile = NULL;
+    int noCApath = 0, noCAfile = 0;
     char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
     int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
     OPTION_CHOICE o;
@@ -155,6 +160,12 @@ int verify_main(int argc, char **argv)
         case OPT_CAFILE:
             CAfile = opt_arg();
             break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
         case OPT_UNTRUSTED:
             untfile = opt_arg();
             break;
@@ -190,7 +201,7 @@ int verify_main(int argc, char **argv)
     if (!app_load_modules(NULL))
         goto end;
 
-    if ((store = setup_verify(CAfile, CApath)) == NULL)
+    if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
         goto end;
     X509_STORE_set_verify_cb(store, cb);
 
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index 6b4beb4..cb7fc59 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -35,6 +35,8 @@ B<openssl> B<cms>
 [B<-print>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crl_check>]
@@ -272,6 +274,14 @@ B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-md digest>
 
 digest algorithm to use when signing or resigning. If not present then the
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 2566966..2399134 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -30,6 +30,8 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
 [B<-CAfile file>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crl_check>]
@@ -177,6 +179,14 @@ connection timeout to the OCSP responder in seconds
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
 B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
 B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index f956c8e..f8162d0 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -39,6 +39,8 @@ B<openssl> B<pkcs12>
 [B<-rand file(s)>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-CSP name>]
 
 =head1 DESCRIPTION
@@ -281,6 +283,14 @@ CA storage as a directory. This directory must be a standard certificate
 directory: that is a hash of each subject name (using B<x509 -hash>) should be
 linked to each certificate.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-CSP name>
 
 write B<name> as a Microsoft CSP name.
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 04982e6..4d23dc9 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -20,6 +20,8 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crl_check>]
@@ -158,6 +160,14 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
 B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
 B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 3fd9a81..cd8a3ef 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -34,6 +34,8 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-explicit_policy>]
@@ -207,6 +209,14 @@ and to use when attempting to build the server certificate chain. The list
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-verify depth>, B<-Verify depth>
 
 The verify depth to use. This specifies the maximum length of the
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index 50ac0e0..2c244c8 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -14,6 +14,8 @@ B<openssl> B<s_time>
 [B<-key filename>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-reuse>]
 [B<-new>]
 [B<-verify depth>]
@@ -75,6 +77,14 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-new>
 
 performs the timing test using a new session ID for each connection.
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index e9fbfda..d6f3de2 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -17,6 +17,8 @@ B<openssl> B<smime>
 [B<-in file>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crl_check>]
@@ -175,6 +177,14 @@ B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-md digest>
 
 digest algorithm to use when signing or resigning. If not present then the
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index f7364f3..afd1b95 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -9,6 +9,8 @@ verify - Utility to verify certificates.
 B<openssl> B<verify>
 [B<-CAfile file>]
 [B<-CApath directory>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-CRLfile file>]
@@ -68,6 +70,14 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option
 of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
 create symbolic links to a directory of certificates.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-attime timestamp>
 
 Perform validation checks using time specified by B<timestamp> and not
diff --git a/doc/ssl/SSL_CTX_load_verify_locations.pod b/doc/ssl/SSL_CTX_load_verify_locations.pod
index 8f7d627..de388d3 100644
--- a/doc/ssl/SSL_CTX_load_verify_locations.pod
+++ b/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -12,12 +12,30 @@ certificates
  int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                                    const char *CApath);
 
+ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
+
+ int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
+
+ int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
+
 =head1 DESCRIPTION
 
 SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at
 which CA certificates for verification purposes are located. The certificates
 available via B<CAfile> and B<CApath> are trusted.
 
+SSL_CTX_set_default_verify_paths() specifies that the default locations for
+which CA certificates are loaded should be used. There is one default directory
+and one default file.
+
+SSL_CTX_set_default_verify_dir() is similar to
+SSL_CTX_set_default_verify_paths() except that just the default directory is
+used.
+
+SSL_CTX_set_default_verify_file() is similar to
+SSL_CTX_set_default_verify_paths() except that just the default file is
+used.
+
 =head1 NOTES
 
 If B<CAfile> is not NULL, it points to a file of CA certificates in PEM
@@ -96,7 +114,7 @@ for use as B<CApath>:
 
 =head1 RETURN VALUES
 
-The following return values can occur:
+For SSL_CTX_load_verify_locations the following return values can occur:
 
 =over 4
 
@@ -112,6 +130,10 @@ The operation succeeded.
 
 =back
 
+SSL_CTX_set_default_verify_paths(), SSL_CTX_set_default_verify_dir() and
+SSL_CTX_set_default_verify_file() all return 1 on success or 0 on failure. A
+missing default location is still treated as a success.
+
 =head1 SEE ALSO
 
 L<ssl(3)>,
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 695a13c..3466ee4 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -298,6 +298,17 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item int B<SSL_CTX_set_default_verify_paths>(SSL_CTX *ctx);
 
+Use the default paths to locate trusted CA certificates. There is one default
+directory path and one default file path. Both are set via this call.
+
+=item int B<SSL_CTX_set_default_verify_dir>(SSL_CTX *ctx)
+
+Use the default directory path to locate trusted CA certficates.
+
+=item int B<SSL_CTX_set_default_verify_file>(SSL_CTX *ctx)
+
+Use the file path to locate trusted CA certficates.
+
 =item int B<SSL_CTX_set_ex_data>(SSL_CTX *s, int idx, char *arg);
 
 =item void B<SSL_CTX_set_info_callback>(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 192640e..04ef4d4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1637,6 +1637,8 @@ void SSL_set_shutdown(SSL *ssl, int mode);
 __owur int SSL_get_shutdown(const SSL *ssl);
 __owur int SSL_version(const SSL *ssl);
 __owur int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
+__owur int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
+__owur int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
 __owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                                   const char *CApath);
 # define SSL_get0_session SSL_get_session/* just peek at pointer */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 6d1e4e8..b68f16d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2787,6 +2787,37 @@ int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
     return (X509_STORE_set_default_paths(ctx->cert_store));
 }
 
+int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
+{
+    X509_LOOKUP *lookup;
+
+    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
+    if (lookup == NULL)
+        return 0;
+    X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+    /* Clear any errors if the default directory does not exist */
+    ERR_clear_error();
+
+    return 1;
+}
+
+int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
+{
+    X509_LOOKUP *lookup;
+
+    lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_file());
+    if (lookup == NULL)
+        return 0;
+
+    X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+
+    /* Clear any errors if the default file does not exist */
+    ERR_clear_error();
+
+    return 1;
+}
+
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                                   const char *CApath)
 {
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
index 7d7c96e..96e1220 100644
--- a/test/recipes/80-test_ocsp.t
+++ b/test/recipes/80-test_ocsp.t
@@ -27,7 +27,7 @@ sub test_ocsp {
 				"-partial_chain", @check_time,
 				"-CAfile", catfile($ocspdir, $CAfile),
 				"-verify_other", catfile($ocspdir, $CAfile),
-				"-CApath", devnull()]))),
+				"-no-CApath"]))),
 		  $title); });
 }
 
diff --git a/util/ssleay.num b/util/ssleay.num
index ddaf306..4c7f8d3 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -403,3 +403,5 @@ SSL_get_server_random                   437	EXIST::FUNCTION:
 SSL_get_client_ciphers                  438	EXIST::FUNCTION:
 SSL_get_client_random                   439	EXIST::FUNCTION:
 SSL_SESSION_get_master_key              440	EXIST::FUNCTION:
+SSL_CTX_set_default_verify_dir          441	EXIST::FUNCTION:
+SSL_CTX_set_default_verify_file         442	EXIST::FUNCTION:


More information about the openssl-commits mailing list