Fix a bug loading the default certificate path locations.
authorbcook <bcook@openbsd.org>
Tue, 21 Jun 2016 03:56:43 +0000 (03:56 +0000)
committerbcook <bcook@openbsd.org>
Tue, 21 Jun 2016 03:56:43 +0000 (03:56 +0000)
The files would only be loaded if the CAfile or CApath locations were
succesfully loaded first. Original patch from OpenSSL:

https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190

ok beck@

usr.bin/openssl/s_client.c

index 471a5e3..b35fa8c 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.27 2015/12/01 12:01:56 jca Exp $ */
+/* $OpenBSD: s_client.c,v 1.28 2016/06/21 03:56:43 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -728,15 +728,13 @@ bad:
        if (!set_cert_key_stuff(ctx, cert, key))
                goto end;
 
-       if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-           (!SSL_CTX_set_default_verify_paths(ctx))) {
-               /*
-                * BIO_printf(bio_err,"error setting default verify
-                * locations\n");
-                */
+       if ((CAfile || CApath)
+           && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
                ERR_print_errors(bio_err);
-               /* goto end; */
-       }
+
+       if (!SSL_CTX_set_default_verify_paths(ctx))
+               ERR_print_errors(bio_err);
+
        if (servername != NULL) {
                tlsextcbp.biodebug = bio_err;
                SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);