From d73dc1262008dfcbfe5d8b18f9d8808970caa9d5 Mon Sep 17 00:00:00 2001
From: bcook <>
Date: Tue, 21 Jun 2016 03:56:43 +0000
Subject: Fix a bug loading the default certificate path locations.

The files would only be loaded if the CAfile or CApath locations were
succesfully loaded first. Original patch from OpenSSL:

https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190

ok beck@
---
 src/usr.bin/openssl/s_client.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 471a5e3c5c..b35fa8c3fc 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.27 2015/12/01 12:01:56 jca Exp $ */
+/* $OpenBSD: s_client.c,v 1.28 2016/06/21 03:56:43 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -728,15 +728,13 @@ bad:
 	if (!set_cert_key_stuff(ctx, cert, key))
 		goto end;
 
-	if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-	    (!SSL_CTX_set_default_verify_paths(ctx))) {
-		/*
-		 * BIO_printf(bio_err,"error setting default verify
-		 * locations\n");
-		 */
+	if ((CAfile || CApath)
+	    && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
 		ERR_print_errors(bio_err);
-		/* goto end; */
-	}
+
+	if (!SSL_CTX_set_default_verify_paths(ctx))
+		ERR_print_errors(bio_err);
+
 	if (servername != NULL) {
 		tlsextcbp.biodebug = bio_err;
 		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
-- 
cgit v1.2.3-55-g6feb