Message236512
> and it is not reproducible using openssl s_client
I have determined that s_client is buggy. It will always load the system certs *if and only if* you also pass it a valid custom CA cert (which is the reverse of what's expected).
This is where it happens (in apps/s_client.c):
if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
This is why I forced SSL_CERT_* to empty locations in the examples above, so that only the custom CA bundle is used. |
|
Date |
User |
Action |
Args |
2015-02-24 16:22:57 | pitrou | set | recipients:
+ pitrou, janssen, nagle, giampaolo.rodola, christian.heimes, alex, icordasc, dstufft, demian.brecht, Lukasa, lac |
2015-02-24 16:22:57 | pitrou | set | messageid: <1424794977.54.0.729580281908.issue23476@psf.upfronthosting.co.za> |
2015-02-24 16:22:57 | pitrou | link | issue23476 messages |
2015-02-24 16:22:57 | pitrou | create | |
|