aboutsummaryrefslogtreecommitdiff
path: root/ssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl.c')
-rw-r--r--ssl.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/ssl.c b/ssl.c
index 304e6ed..17b418b 100644
--- a/ssl.c
+++ b/ssl.c
@@ -833,14 +833,17 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Private key does not match the certificate");
/* Set Certificate Verification chain */
- if (ca && sk_num(ca))
+ if (!options->ca_file)
{
- for (i = 0; i < sk_X509_num(ca); i++)
+ if (ca && sk_num(ca))
{
- if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
- if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ for (i = 0; i < sk_X509_num(ca); i++)
+ {
+ if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
+ if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ }
}
}
}
@@ -906,7 +909,10 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Private key does not match the certificate");
}
}
+ }
+ if (options->ca_file)
+ {
/* Load CA file for verifying peer supplied certificate */
ASSERT (options->ca_file);
if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
@@ -920,9 +926,8 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
SSL_CTX_set_client_CA_list (ctx, cert_names);
}
-
}
-
+
/* Enable the use of certificate chains */
if (using_cert_file)
{