'capath=' ignored in Squid 4 and 5 (#58)

The capath= is ignored if cafile= is not set. This is affect tls_outgoing_options, cache_peer and *_port configuration parameters.

This is a Measurement Factory project

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index b6ed67d31e1e7f622b97847b486f4d951cab66f4..0dbb4b142262276ad02079a93d151205c56979d1 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -641,11 +641,16 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
 {
     debugs(83, 8, "Setting CA certificate locations.");
 #if USE_OPENSSL
-    const char *path = caDir.isEmpty() ? nullptr : caDir.c_str();
+    if (const char *path = caDir.isEmpty() ? nullptr : caDir.c_str()) {
+        if (!SSL_CTX_load_verify_locations(ctx.get(), nullptr, path)) {
+            const auto x = ERR_get_error();
+            debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " << path << ": " << Security::ErrorString(x));
+        }
+    }
 #endif
     for (auto i : caFiles) {
 #if USE_OPENSSL
-        if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), path)) {
+        if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), nullptr)) {
             const auto x = ERR_get_error();
             debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
                    i << ": " << Security::ErrorString(x));