Hi,
> Ha! Ain't this code great! You're correct that I misread it. So right
> now:
> * If you don't specify either option, no CAs will be available
> * if you specify -CAfile and it can't be loaded, then no CAs will be
> available
> * if you specify -CApath and either it's the zero-length path ("") or
> there's a malloc failure in the string parsing, then only the CAs from the
> -CAfile option (if any) will be available
> * if you specified either -CAfile or -CApath or both and neither failed
> (i.e., none of the above cases), then those CAs *and* the CAs in the
> default paths will be available
I so far haven't investigated the semantics of
SSL_CTX_load_verify_locations() in case of failure (and it would seem like
actually failing the program would maybe be saner than just continuing, so
that the behaviour simply wouldn't matter), and I had assumed that
SSL_CTX_set_default_verify_paths() would override what has been set before
(How does this API design make any sense if you can actually specify
multiple files and/or directories? But then again, expecting it to make
sense might be the mistake ...), but other than that, your analysis agrees
with what I know.
> Those are...amazing...semantics.
It must be an advanced feature that we don't understand!
> The proposed patch would, if I'm reading it correctly, change the semantics
> to instead be:
> * if you don't specify either option, you get the CAs in the default paths
> * if you specify -CAfile and it can't be loaded, then no CAs will be
> available
> * if you specify -CApath and either it's the zero-length path ("") or
> there's a malloc failure in the string parsing, then only the CAs from the
> -CAfile option (if any) will be available
> * if you specified either -CAfile or -CApath or both and neither failed
> (i.e., none of the above cases), then only those CAs will be available
>
> That is, it would move the default CA loading from the "specified either or
> both option and nothing failed" case to the "specified neither option"
> case. Yes?
That seems to be correct, after having looked a little(!) bit deeper into
the X509_STORE stuff now. That is to say: I wouldn't be sure about all the
details, but in any case the idea is to load the default values only in the
case when neither of the -CA* options has been specified, which at least
isn't braindead anymore, and which I would not expect to break any
expectations of exiting OpenSSL users.
Florian
