Rob Heittman wrote:
>
> > > before we embark on a mission here :-) Any known issues building
> > > Apache-SSL with SSLeay 0.9.0 on Linux-glibc6?
> >
> > Nope.
>
> Hmm, I'm getting an error when the httpsd binary built with 0.9.0 (still
> static) tries to read the cert, "error seting default verify locations".
> Haven't run into this one before -- thoughts? There's no CA stuff set up
> on the testing server . . . but this doesn't pose a problem with a binary
> using 0.8.0.
OK. So I lied :-)
> The basic culprit appears to be this addition (crypto/x509/x509_d2.c:105):
>
> if ((path == NULL) && (file == NULL))
> return(0);
>
> Formerly, a null path and a null file returned the default value of 1.
> However, if you remove this check, you now get a complimentary SEGV upon
> executing this call, free of charge :-) There appear to be some deeper
> changes in the x509 stuff.
Fixed in the next version.
> So, I guess the repair question is: should it be defined as a
> misconfiguration to have no valid CA information in the configuration file
> (and thus Apache-SSL could gripe and croak if the values were missing)
Nope.
>
> ... or ...
>
> should we detect the condition as an acceptable special-case
> configuration, and feed SSLeay something acceptable as inputs to
> SSL_CTX_load_verify_locations / SSL_CTX_set_default_verify_paths,
Nope.
>
> ... or ...
>
> whine to Eric about the change to 0.9.0's behavior :-)
Tried that :-)
The answer is simply to not call them when path and file are NULL.
I'll release 1.17 soon.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache