[openssl-dev] [openssl.org #3696] openssl 1.0.1k s_client app bug?

Tomas Zahradnicky via RT rt at openssl.org
Fri Feb 13 14:06:33 UTC 2015


Dear OpenSSL-dev list members,

there might be a bug in the OpenSSL s_client app. The s_client app does
not verify against root CA certificates in the store, unless either
-CAfile or -CApath is present (even with a bogus value). The problem
seems to be on apps/s_client.c:1187:

        if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
                (!SSL_CTX_set_default_verify_paths(ctx)))
                {
                /* BIO_printf(bio_err,"error setting default verify
locations\n"); */
                ERR_print_errors(bio_err);
                /* goto end; */
                }

SSL_CTX_load_verify_locations returns 0 if both CAfile and CApath
parameters are NULL, and, as a consequence,
SSL_CTX_set_default_verify_paths is not called since the || operator is
already true because of the first !0. If an argument such as
"-CApath /dev/null" is present, SSL_CTX_load_verify_locations returns 1
and SSL_CTX_load_verify_locations is called as expected. The logical or
operator appears to be wrong in this case.

Fix proposal: Change || to &&.

Is this a known problem?

Cheers,
Tomas Zahradnicky





More information about the openssl-dev mailing list