[openssl-dev] [openssl.org #4285] SSL_CTX_load_verify_locations() fails without error with invalid files
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Feb 1 22:13:03 UTC 2016
On Mon, Feb 01, 2016 at 08:56:28PM +0000, Timo Sirainen via RT wrote:
> If loaded file isn't valid, SSL_CTX_load_verify_locations() returns 0,
> but ERR_get_error() reports 0.
Actually, the processing of invalid files (that contain malformed
data) will push errors onto the error stack, but the processing of
*empty* files does not.
When a file is valid, but contains no objects the return value of
X509_load_cert_crl_file(), which is the number of objects loaded,
will be 0, this ultimately becomes the return value of
X509_LOOKUP_load_file(), and SSL_CTX_load_verify_locations() returns
early.
So indeed we should either decide that empty CAfiles or CRLfiles
are OK, or push a suitable error onto the stack if we found nothing
in the file at all.
I think that an empty CAfile is still a CAfile, that happens to
trust an empty set of CAs (mathematically sound degenerate case),
but that may not be the most useful behaviour in real life.
I'll leave it to others to decide what to do.
--
Viktor.
More information about the openssl-dev
mailing list