From 421421a4b04820bfbf57aa67be656852bb8d364f Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Mon, 8 Nov 2004 09:36:31 +0000
Subject: Honor sslcertpath setting even if sslcertck is unset. Patch by Brian
 Candler.

svn path=/trunk/; revision=3987
---
 NEWS     | 2 ++
 socket.c | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index cfabb900..fd3dad20 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,8 @@
 * Remove sleep(3) after POP3 login, patch by Brian Candler.
 * Fix option parsing bug that trashes the showdots setting when more
   than one server is configured. Patch by Brian Candler.
+* Honor sslcertpath setting even if sslcertck is unset. Patch by Brian
+  Candler.
 
 fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
 
diff --git a/socket.c b/socket.c
index 5c3861bc..10a0c5f2 100644
--- a/socket.c
+++ b/socket.c
@@ -962,13 +962,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, char *myproto, int certck, char
 
 	if (certck) {
 		SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, SSL_ck_verify_callback);
-		if (certpath)
-			SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
 	} else {
 		/* In this case, we do not fail if verification fails. However,
 		 *  we provide the callback for output and possible fingerprint checks. */
 		SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, SSL_nock_verify_callback);
 	}
+	if (certpath)
+		SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
 	
 	_ssl_context[sock] = SSL_new(_ctx);
 	
-- 
cgit v1.2.3