From: Christos Tsantilas <christos@chtsanti.net>
Date: Mon, 4 Sep 2017 16:22:53 +0000 (+0300)
Subject: 'capath=' ignored in Squid 4 and 5 (#58)
X-Git-Tag: SQUID_4_0_22~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=809e63ed6a5f779c958286611b8e618e2ab918c2;p=thirdparty%2Fsquid.git

'capath=' ignored in Squid 4 and 5 (#58)

The capath= is ignored if cafile= is not set. This is affect tls_outgoing_options, cache_peer and *_port configuration parameters.

This is a Measurement Factory project
---

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index b6ed67d31e..0dbb4b1422 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -641,11 +641,16 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
 {
     debugs(83, 8, "Setting CA certificate locations.");
 #if USE_OPENSSL
-    const char *path = caDir.isEmpty() ? nullptr : caDir.c_str();
+    if (const char *path = caDir.isEmpty() ? nullptr : caDir.c_str()) {
+        if (!SSL_CTX_load_verify_locations(ctx.get(), nullptr, path)) {
+            const auto x = ERR_get_error();
+            debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " << path << ": " << Security::ErrorString(x));
+        }
+    }
 #endif
     for (auto i : caFiles) {
 #if USE_OPENSSL
-        if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), path)) {
+        if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), nullptr)) {
             const auto x = ERR_get_error();
             debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
                    i << ": " << Security::ErrorString(x));