Workaround patch for OpenSSL bug 1513

Laura Bowser lbowser at
Wed Jul 18 19:21:55 EDT 2007

I've run into the following SSL bug: 
and for a while, I haven't been able to connect to my IMAP server  
over TLS.  I finally delved into the code, and discovered what the  
problem was.
My situation:
cyrus-imapd - 2.3.8 on FreeBSD 6.2 installed from ports
self-signed certificate, no CAs
tls_ca_path is the default of blank (none)
tls_cert_file and tls_key_file point to the certificate and key  

So, from what I can tell is happening, when  
SSL_CTX_load_verify_locations returns an error in like 672, the error  
is sticking around by the time control rolls around to  
SSL_CTX_use_certificate_chain_file on line 362, but 1513 is  
triggered, and it returns an error, even though there isn't one.

Realizing this probably isn't the best solution because you lose the  
SSL error stack, I added ERR_clear_error(); between lines 361 and 362.
Since the previous error is already reported, I didn't think losing  
the stack was that big of a deal, but I'm not normally a developer,  
so I defer to those with more knowledge.  I just had an itch to scratch.

My patch is available at 
patch-imap-tls.c  for those of you who'd like to look at it.


More information about the Cyrus-devel mailing list