Ulrike Gnnel wrote:
>
> Hello,
>
> I find a bug in the crypto/x509 part of the SSL library.
> The documentation implies that I can use either the file /usr/local/ssl/cert.
> pem for the trusted certificates or the file specified in the environment
> variable SSL_CERT_FILE. But if there is no certificate stored in
> the file /usr/local/ssl/cert.pem or if this file doesn't exist the
> environment variable will not be used.
>
> I took a look at the source file crypto/x509/by_file.c:
>
> static int by_file_ctrl(X509_LOOKUP .....
> ...
> case X509_L_FILE_LOAD:
> if (argl == X509_FILETYPE_DEFAULT)
> {
> ok =(X509_load_cert_crl_file(ctx,X509_get_default_cert_file(),
> X509_FILETYPE_PEM) != 0);
>
> ---> the value of ok will be 0 if there is no file or no certificate
> inside the default file
>
> if (!ok)
> {
> X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS);
>
> }
> else
> {
>
> ---> this part will be executed only if the value of ok is not 0 !
> so it will be executed only if there is at least one certificate
> in the default file
>
> but it should be executed in any cases
>
> file=(char *)Getenv(X509_get_default_cert_file_env());
>
> ok = (X509_load_cert_crl_file(ctx,file,
> X509_FILETYPE_PEM) != 0);
> }
> }
> .....
>
> I hope that will help to fix the bug (or is it a feature ;-)) ?
>
Well that behaviour is undocumented and I don't think anyone has ever
used that so I'd say its a feature :-)
Not a very good feature though so it will be fixed.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
