On April 24th, I wrote to openssl-dev:

> Also, the function "dir_ctrl" in crypto/x509/by_dir.c looks wrong to
> me. Shouldn't it be checking for the environment variable first, then
> getting the default if no environment variable is specified (the way
> by_file_ctrl does in crypto/x509/by_file.c)? Sorry if I am misreading
> what that function is doing. The code looks the same in 0.9.7 and
> 0.9.8.


I have done some more testing, and openssl is indeed using certs from
the default directory, even if a different directory is specified
by SSL_CERT_DIR. This patch changes the logic to what we have in
by_file.c. That is, if SSL_CERT_DIR is defined in the environment,
openssl uses it exclusively for the directory of hashed certs. If
SSL_CERT_DIR is not defined, then the default directory is used.

Since I am in the US, a copy of the patch is being forwarded to the
appropriate US government agencies.

Doug

--- crypto/x509/by_dir.c.ori 2004-01-22 14:36:46.000000000 -0800
+++ crypto/x509/by_dir.c 2005-06-22 12:09:00.000000000 -0800
@@ -122,19 +122,19 @@
{
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT)
+ dir=(char *)Getenv(X509_get_default_cert_dir_env());
+ if (dir)
+ ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+ else
{
ret=add_cert_dir(ld,X509_get_default_cert_dir(),
X509_FILETYPE_PEM);
+ }
if (!ret)
{
X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
}
- else
- {
- dir=(char *)Getenv(X509_get_default_cert_dir_env());
- ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
- }
- }
+
else
ret=add_cert_dir(ld,argp,(int)argl);
break;
--
Doug Kaufman
Internet: dkaufman@rahul.net


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org