[openssl-dev] [openssl.org #3696] openssl 1.0.1k s_client app bug?
Tomas Zahradnicky via RT
rt at openssl.org
Fri Feb 13 14:06:33 UTC 2015
Dear OpenSSL-dev list members,
there might be a bug in the OpenSSL s_client app. The s_client app does
not verify against root CA certificates in the store, unless either
-CAfile or -CApath is present (even with a bogus value). The problem
seems to be on apps/s_client.c:1187:
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
{
/* BIO_printf(bio_err,"error setting default verify
locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
SSL_CTX_load_verify_locations returns 0 if both CAfile and CApath
parameters are NULL, and, as a consequence,
SSL_CTX_set_default_verify_paths is not called since the || operator is
already true because of the first !0. If an argument such as
"-CApath /dev/null" is present, SSL_CTX_load_verify_locations returns 1
and SSL_CTX_load_verify_locations is called as expected. The logical or
operator appears to be wrong in this case.
Fix proposal: Change || to &&.
Is this a known problem?
Cheers,
Tomas Zahradnicky
More information about the openssl-dev
mailing list