[EXT] Re: Trouble with OCSP

Mon Dec 9 17:02:23 UTC 2024

Orion Poplawski <orion at nwra.com> wrote:
> Hmm, I'm not entirely sure this is true for the FreeRADIUS case - it calls:
>        if (!X509_STORE_load_locations(store, conf->ca_file, conf->ca_path)) {
...
>  X509_STORE_load_locations_ex() combines X509_STORE_load_file_ex() and
>  X509_STORE_load_path() for a given file and/or directory path. It is permitted
>  to specify just a file, just a directory, or both paths.

Interesting.  And if I googled to the right source repo, that does this:

int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
                                 const char *path, OSSL_LIB_CTX *libctx,
                                 const char *propq)
{
    if (file == NULL && path == NULL)
        return 0;
    if (file != NULL && !X509_STORE_load_file_ex(ctx, file, libctx, propq))
        return 0;
    if (path != NULL && !X509_STORE_load_path(ctx, path))
        return 0;
    return 1;
}

OpenSSL seems to be a "return 1 on success or 0 on failure" codebase, so that means if both are specified but one fails, the combo  fails, a sensible decision given it is a security layer, I guess.