This fixes a bug where the default certificate path locations would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190 Noted here on the LibreSSL-portable github tracker: https://github.com/libressl-portable/openbsd/issues/62 ok? Index: s_client.c =================================================================== RCS file: /cvs/src/usr.bin/openssl/s_client.c,v retrieving revision 1.27 diff -u -p -r1.27 s_client.c --- s_client.c 1 Dec 2015 12:01:56 -0000 1.27 +++ s_client.c 20 Jun 2016 13:31:43 -0000 @@ -728,15 +728,13 @@ bad: if (!set_cert_key_stuff(ctx, cert, key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - /* - * BIO_printf(bio_err,"error setting default verify - * locations\n"); - */ + if ((CAfile || CApath) + && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ERR_print_errors(bio_err); - /* goto end; */ - } + + if (!SSL_CTX_set_default_verify_paths(ctx)) + ERR_print_errors(bio_err); + if (servername != NULL) { tlsextcbp.biodebug = bio_err; SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
