From: hno <>
Date: Tue, 31 May 2005 22:19:56 +0000 (+0000)
Subject: Work around OpenSSL bug affecting the clientca= option
X-Git-Tag: SQUID_3_0_PRE4~738
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c1ff4efba22dd7043aa9799b882b66d279dd799;p=thirdparty%2Fsquid.git

Work around OpenSSL bug affecting the clientca= option
---

diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index 1af63af448..d7b02711c6 100644
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ssl_support.cc,v 1.31 2005/03/19 19:43:39 serassio Exp $
+ * $Id: ssl_support.cc,v 1.32 2005/05/31 16:19:56 hno Exp $
  *
  * AUTHOR: Benno Rice
  * DEBUG: section 83    SSL accelerator support
@@ -653,8 +653,17 @@ sslCreateServerContext(const char *certfile, const char *keyfile, int version, c
     }
 
     if (clientCA) {
+        STACK_OF(X509_NAME) *cert_names;
         debug(83, 9) ("Set client certifying authority list.\n");
-        SSL_CTX_set_client_CA_list(sslContext, SSL_load_client_CA_file(clientCA));
+        cert_names = SSL_load_client_CA_file(clientCA);
+
+        if (cert_names == NULL) {
+            debug(83, 1) ("Error loading the client CA certificates from '%s\': %s\n", clientCA, ERR_error_string(ERR_get_error(), NULL));
+            goto error;
+        }
+
+        ERR_clear_error();
+        SSL_CTX_set_client_CA_list(sslContext, cert_names);
 
         if (fl & SSL_FLAG_DELAYED_AUTH) {
             debug(83, 9) ("Not requesting client certificates until acl processing requires one\n");