Message236512
| Author |
pitrou |
| Recipients |
Lukasa, alex, christian.heimes, demian.brecht, dstufft, giampaolo.rodola, icordasc, janssen, lac, nagle, pitrou |
| Date |
2015年02月24日.16:22:57 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1424794977.54.0.729580281908.issue23476@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
> and it is not reproducible using openssl s_client
I have determined that s_client is buggy. It will always load the system certs *if and only if* you also pass it a valid custom CA cert (which is the reverse of what's expected).
This is where it happens (in apps/s_client.c):
if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
This is why I forced SSL_CERT_* to empty locations in the examples above, so that only the custom CA bundle is used. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2015年02月24日 16:22:57 | pitrou | set | recipients:
+ pitrou, janssen, nagle, giampaolo.rodola, christian.heimes, alex, icordasc, dstufft, demian.brecht, Lukasa, lac |
| 2015年02月24日 16:22:57 | pitrou | set | messageid: <1424794977.54.0.729580281908.issue23476@psf.upfronthosting.co.za> |
| 2015年02月24日 16:22:57 | pitrou | link | issue23476 messages |
| 2015年02月24日 16:22:57 | pitrou | create |
|