2

I've searched high and low and have not found an explanation of this problem.

I'm running the following

int ret = 0;
ERR_clear_error();
ret = SSL_CTX_load_verify_locations( ctx_, "f:\\50\\server\\SSLCACertificateFile.pem", NULL );

I get a ret value of 1, which is an error. I then check the error queue.

int err = SSL_get_error( con_, ret );

The err value returned is zero. That value is associated with the error: SSL_ERROR_NONE.

SSL_ERROR_NONE means that the function actually succeeded.

Can I trust that the SSL_CTX_load_verify_locations function really did run successfully?

jww
  • 97,681
  • 90
  • 411
  • 885
danabaillie
  • 75
  • 2
  • 5

1 Answers1

2

man SSL_CTX_load_verify_locations

RETURN VALUES

   The following return values can occur:

   0   The operation failed because CAfile and CApath are NULL or the processing at one of the locations specified failed. Check the error stack to find out the
       reason.

   1   The operation succeeded.
Vladimir Kunschikov
  • 1,735
  • 1
  • 16
  • 16
  • Thanks Vladimir, When I go to Openssl.org here: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#return_values I see the following information for Return Values: The following return values can occur: 1 The operation failed because CAfile and CApath are NULL or the processing at one of the locations specified failed. Check the error stack to find out the reason. 2 The operation succeeded. I wonder which is correct man or openssl itself? – danabaillie Jan 10 '15 at 18:54
  • You can look source files and find definition in ssl/ssl_lib.c which calls X509_STORE_load_locations from crypto/x509/x509_d2.c which returns 1 on success:https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L3229 https://github.com/openssl/openssl/blob/master/crypto/x509/x509_d2.c#L83 – Vladimir Kunschikov Jan 10 '15 at 19:04
  • Also you can look source for the forementioned web version of the man page and there is no 1 and 2 return values defined: there goes HTML list which is numbered from 1, not from zero. – Vladimir Kunschikov Jan 10 '15 at 19:07
  • Wow. Thanks very much, Vladimir. Last time that I blindly trust documentation. You have taught me a new method of debugging. I have done this in the past, but it never dawned on me in this case, as I had documentation. Lesson learned. Thanks again. – danabaillie Jan 10 '15 at 21:44
  • 1
    Its a very rare exception. You don't have to be paranoid. 'Trust but verify' as proverb says. – Vladimir Kunschikov Jan 11 '15 at 07:24