diff options
| author | Rob Percival <robpercival@google.com> | 2016-03-04 19:06:43 +0000 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-03-09 13:07:09 -0500 |
| commit | 328f36c5c51994391363162b76c94819f9a12ae0 (patch) | |
| tree | 1c08ac98876a0d79ca8293fbc52e82b1b3f124fe | |
| parent | 60b350a3ef9620866a43358ecd1874c6fc482d9c (diff) | |
Do not display a CT log error message if CT validation is disabled
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | apps/apps.c | 6 | ||||
| -rw-r--r-- | apps/s_client.c | 14 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_set_ctlog_list_file.pod | 3 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 6 |
4 files changed, 14 insertions, 15 deletions
diff --git a/apps/apps.c b/apps/apps.c index 4e2322d7a7..9bbb39e139 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -238,11 +238,7 @@ int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path) { if (path == NULL) { - if (SSL_CTX_set_default_ctlog_list_file(ctx) <= 0) { - BIO_puts(bio_err, "Failed to load default Certificate Transparency " - "log list\n"); - } - return 1; /* Do not treat failure to load the default as an error */ + return SSL_CTX_set_default_ctlog_list_file(ctx); } return SSL_CTX_set_ctlog_list_file(ctx, path); diff --git a/apps/s_client.c b/apps/s_client.c index 25f51487f1..cf238c795b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1670,8 +1670,18 @@ int s_client_main(int argc, char **argv) } if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) { - ERR_print_errors(bio_err); - goto end; + if (ct_validation != NULL) { + ERR_print_errors(bio_err); + goto end; + } + + /* + * If CT validation is not enabled, the log list isn't needed so don't + * show errors or abort. We try to load it regardless because then we + * can show the names of the logs any SCTs came from (SCTs may be seen + * even with validation disabled). + */ + ERR_clear_error(); } #endif diff --git a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod index ddad842739..9ef15adb90 100644 --- a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod +++ b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod @@ -37,9 +37,6 @@ The expected format of the log list file is: These functions will not clear the existing CT log list - it will be appended to. -SSL_CTX_set_default_ctlog_list_file() will not report errors if it fails for -any reason. Use SSL_CTX_set_ctlog_list_file() if you want errors to be reported. - If an error occurs whilst parsing a particular log entry in the file, that log entry will be skipped. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f6bf42d1e5..2fa323a41d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4143,11 +4143,7 @@ end: int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx) { - int ret = CTLOG_STORE_load_default_file(ctx->ctlog_store); - - /* Clear any errors if the default file does not exist */ - ERR_clear_error(); - return ret; + return CTLOG_STORE_load_default_file(ctx->ctlog_store); } int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path) |