From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 2 Sep 2020 13:26:09 +0000 (+0200)
Subject: openssl: avoid error conditions when importing native CA
X-Git-Tag: curl-7_73_0~154
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3fbb2fb9dde9ab93db67a7ccc2130e68714016b;p=thirdparty%2Fcurl.git

openssl: avoid error conditions when importing native CA

The code section that is OpenSSL 3+ specific now uses the same logic as
is used in the version < 3 section. It caused a compiler error without
it.

Closes #5907
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ce6f8445a7..5d3da82341 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2993,7 +2993,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
   {
     if(ssl_cafile) {
       if(!SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) {
-        if(verifypeer) {
+        if(verifypeer && !imported_native_ca) {
           /* Fail if we insist on successfully verifying the server. */
           failf(data, "error setting certificate file: %s", ssl_cafile);
           return CURLE_SSL_CACERT_BADFILE;
@@ -3005,7 +3005,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
     }
     if(ssl_capath) {
       if(!SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) {
-        if(verifypeer) {
+        if(verifypeer && !imported_native_ca) {
           /* Fail if we insist on successfully verifying the server. */
           failf(data, "error setting certificate path: %s", ssl_capath);
           return CURLE_SSL_CACERT_BADFILE;