1 files changed, 11 insertions, 6 deletions

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index a32b2d4446..27256eea81 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -197,8 +197,10 @@ CERT *ssl_cert_dup(CERT *cert)
          * if you find that more readable */
 
         ret->valid = cert->valid;
-        ret->mask = cert->mask;
-        ret->export_mask = cert->export_mask;
+        ret->mask_k = cert->mask_k;
+        ret->mask_a = cert->mask_a;
+        ret->export_mask_k = cert->export_mask_k;
+        ret->export_mask_a = cert->export_mask_a;
 
 #ifndef OPENSSL_NO_RSA
         if (cert->rsa_tmp != NULL)
@@ -500,9 +502,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
                 SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
                 return(0);
                 }
-        if (s->param)
-                X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
-                                                s->param);
 #if 0
         if (SSL_get_verify_depth(s) >= 0)
                 X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
@@ -516,6 +515,10 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 
         X509_STORE_CTX_set_default(&ctx,
                                 s->server ? "ssl_client" : "ssl_server");
+        /* Anything non-default in "param" should overwrite anything in the
+         * ctx.
+         */
+        X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
 
         if (s->verify_callback)
                 X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@ -752,6 +755,8 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                         sk_X509_NAME_push(stack,xn);
                 }
 
+        ERR_clear_error();
+
         if (0)
                 {
 err: