The default CA certs file path is ignored in commands like s_client
because if you don't specify -CApath or -CAfile on s_client command line
the SSL_CTX_load_verify_locations() will return 0 and the code:
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
will skip the SSL_CTX_set_default_verify_paths() call.
There are two possible ways how to fix this problem - either do not call
SSL_CTX_load_verify_locations() when CAfile and CApath are both NULL. Or
fix the code of X509_STORE_load_locations() to not to return 0 when both
path and file are NULL.
The X509_STORE_load_locations() implementation is debatable in more ways
because it will return with 0 immediately when the file lookup load
fails and so it will not attempt to add the dir lookup at all in this
case. In my opinion it should at least try both (of course returning
failure if any load fails).
See also https://bugzilla.redhat.com/show_bug.cgi?id=421011
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
