On April 24th, I wrote to openssl-dev:

> Also, the function "dir_ctrl" in crypto/x509/by_dir.c looks wrong to
> me. Shouldn't it be checking for the environment variable first, then
> getting the default if no environment variable is specified (the way
> by_file_ctrl does in crypto/x509/by_file.c)? Sorry if I am misreading
> what that function is doing. The code looks the same in 0.9.7 and
> 0.9.8.

I have done some more testing, and openssl is indeed using certs from
the default directory, even if a different directory is specified
by SSL_CERT_DIR. This patch changes the logic to what we have in
by_file.c. That is, if SSL_CERT_DIR is defined in the environment,
openssl uses it exclusively for the directory of hashed certs. If
SSL_CERT_DIR is not defined, then the default directory is used.

Since I am in the US, a copy of the patch is being forwarded to the
appropriate US government agencies.


--- crypto/x509/by_dir.c.ori 2004-01-22 14:36:46.000000000 -0800
+++ crypto/x509/by_dir.c 2005-06-22 12:09:00.000000000 -0800
@@ -122,19 +122,19 @@
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT)
+ dir=(char *)Getenv(X509_get_default_cert_dir_env());
+ if (dir)
+ ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+ else
+ }
if (!ret)
- else
- {
- dir=(char *)Getenv(X509_get_default_cert_dir_env());
- ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
- }
- }
Doug Kaufman
Internet: dkaufman@rahul.net

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org