Honor sslcertpath setting even if sslcertck is unset. Patch by Brian Candler.

svn path=/trunk/; revision=3987

diff --git a/NEWS b/NEWS
index cfabb90020f8e9c67ff61685da61f629018e2b49..fd3dad206495fb8125ee4bd548900d0616451f94 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,8 @@
 * Remove sleep(3) after POP3 login, patch by Brian Candler.
 * Fix option parsing bug that trashes the showdots setting when more
   than one server is configured. Patch by Brian Candler.
+* Honor sslcertpath setting even if sslcertck is unset. Patch by Brian
+  Candler.
 
 fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
 

diff --git a/socket.c b/socket.c
index 5c3861bcf10593d03c5f6c6bfe8f29bb6a4e2e8c..10a0c5f2350d8bba13bffce6247319884f8389a2 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -962,13 +962,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char
 
        if (certck) {
                SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, SSL_ck_verify_callback);
-               if (certpath)
-                       SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
        } else {
                /* In this case, we do not fail if verification fails. However,
                 *  we provide the callback for output and possible fingerprint checks. */
                SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, SSL_nock_verify_callback);
        }
+       if (certpath)
+               SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
        
        _ssl_context[sock] = SSL_new(_ctx);