[openssl-dev] [openssl.org #3697] Bug in s_client with loading of default certificates

Pertti Karppinen via RT rt at openssl.org
Fri Feb 13 14:07:08 UTC 2015


In apps/s_client.c there is an invalid if-clause:

if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
    (!SSL_CTX_set_default_verify_paths(ctx))) {
  /*
   * BIO_printf(bio_err,"error setting default
   verify locations\n");
   */
  ERR_print_errors(bio_err);
  /* goto end; */
}
		   
Function SSL_CTX_set_default_verify_paths is never called if both CAfile and
CApath are NULL, because in file crypto/x509/x509_d2.c the function
X509_STORE_load_locations returns 0 in such case.
		   
There seems to be something odd with the X509_STORE_load_locations function,
as everywhere else where it is called (it has wrapper
SSL_CTX_load_verify_locations), both the path and file are checked, so they
are never both NULL, but still that condition is checked inside the function.
		   
-- 
Pertti Karppinen
Email pertti.karppinen at online.fi

Online Solutions Oy - http://www.online.fi/




More information about the openssl-dev mailing list