> Or do not call tls_configure_ssl_verify() if verification is turned
> off.
This makes sense to me.
>
> Index: lib/libtls/tls_client.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v
> retrieving revision 1.38
> diff -u -p -r1.38 tls_client.c
> --- lib/libtls/tls_client.c 26 Dec 2016 16:20:58 -0000 1.38
> +++ lib/libtls/tls_client.c 29 Dec 2016 22:56:23 -0000
> @@ -195,7 +195,9 @@ tls_connect_common(struct tls *ctx, cons
> }
> }
>
> - if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
> + if (ctx->config->verify_cert &&
> + (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
> + SSL_VERIFY_PEER) == -1))
> goto err;
>
> if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) !=
> 1) {
>
ok beck@
> I would prefer the fix in libtls as
> - this problem may also affect other daemons
> - avoid to do unnecsessary stuff
> - syslogd could run on a system without cert.pem
>
> comments? ok?
>
> bluhm
