From 328f36c5c51994391363162b76c94819f9a12ae0 Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Fri, 4 Mar 2016 19:06:43 +0000 Subject: [PATCH] Do not display a CT log error message if CT validation is disabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Emilia Käsper Reviewed-by: Rich Salz --- apps/apps.c | 6 +----- apps/s_client.c | 14 ++++++++++++-- doc/ssl/SSL_CTX_set_ctlog_list_file.pod | 3 --- ssl/ssl_lib.c | 6 +----- 4 files changed, 14 insertions(+), 15 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 4e2322d7a7..9bbb39e139 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -238,11 +238,7 @@ int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path) { if (path == NULL) { - if (SSL_CTX_set_default_ctlog_list_file(ctx) <= 0) { - BIO_puts(bio_err, "Failed to load default Certificate Transparency " - "log list\n"); - } - return 1; /* Do not treat failure to load the default as an error */ + return SSL_CTX_set_default_ctlog_list_file(ctx); } return SSL_CTX_set_ctlog_list_file(ctx, path); diff --git a/apps/s_client.c b/apps/s_client.c index 25f51487f1..cf238c795b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1670,8 +1670,18 @@ int s_client_main(int argc, char **argv) } if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) { - ERR_print_errors(bio_err); - goto end; + if (ct_validation != NULL) { + ERR_print_errors(bio_err); + goto end; + } + + /* + * If CT validation is not enabled, the log list isn't needed so don't + * show errors or abort. We try to load it regardless because then we + * can show the names of the logs any SCTs came from (SCTs may be seen + * even with validation disabled). + */ + ERR_clear_error(); } #endif diff --git a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod index ddad842739..9ef15adb90 100644 --- a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod +++ b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod @@ -37,9 +37,6 @@ The expected format of the log list file is: These functions will not clear the existing CT log list - it will be appended to. -SSL_CTX_set_default_ctlog_list_file() will not report errors if it fails for -any reason. Use SSL_CTX_set_ctlog_list_file() if you want errors to be reported. - If an error occurs whilst parsing a particular log entry in the file, that log entry will be skipped. diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f6bf42d1e5..2fa323a41d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4143,11 +4143,7 @@ end: int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx) { - int ret = CTLOG_STORE_load_default_file(ctx->ctlog_store); - - /* Clear any errors if the default file does not exist */ - ERR_clear_error(); - return ret; + return CTLOG_STORE_load_default_file(ctx->ctlog_store); } int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path) -- 2.25.1