From e83b8190d46352f8a625491b10af19c8b0ac2def Mon Sep 17 00:00:00 2001
From: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Date: Sat, 15 Oct 2005 05:07:29 +0000
Subject: Enable the use of --ca together with --pkcs12.  If --ca is used at
 the same time as --pkcs12, the CA certificate is loaded from the file
 specified by --ca regardless if the pkcs12 file contains a CA cert or not
 (Mathias Sundman). Pre-2.1-beta3

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 ssl.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'ssl.c')

diff --git a/ssl.c b/ssl.c
index 304e6ed..17b418b 100644
--- a/ssl.c
+++ b/ssl.c
@@ -833,14 +833,17 @@ init_ssl (const struct options *options)
         msg (M_SSLERR, "Private key does not match the certificate");
 
       /* Set Certificate Verification chain */
-      if (ca && sk_num(ca))
+      if (!options->ca_file)
         {
-          for (i = 0; i < sk_X509_num(ca); i++)
+          if (ca && sk_num(ca))
             {
-	      if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
-                 msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
-              if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
-                msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+              for (i = 0; i < sk_X509_num(ca); i++)
+                {
+	          if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
+                    msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
+                  if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
+                    msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+                }
             }
         }
     }
@@ -906,7 +909,10 @@ init_ssl (const struct options *options)
 		msg (M_SSLERR, "Private key does not match the certificate");
 	    }
 	}
+    }
 
+  if (options->ca_file)
+    {
       /* Load CA file for verifying peer supplied certificate */
       ASSERT (options->ca_file);
       if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
@@ -920,9 +926,8 @@ init_ssl (const struct options *options)
           msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
         SSL_CTX_set_client_CA_list (ctx, cert_names);
       }
-
     }
-  
+
   /* Enable the use of certificate chains */
   if (using_cert_file)
     {
-- 
cgit