MINOR: ssl: check private key consistency in loading
Load a PEM certificate and use it in CTX are now decorrelated.
Checking the certificate and private key consistency can be done
earlier: in loading phase instead CTX set phase.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cd05421..08ab3c3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2992,6 +2992,12 @@
goto end;
}
+ if (!X509_check_private_key(ckch->cert, ckch->key)) {
+ memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
+ err && *err ? *err : "", path);
+ goto end;
+ }
+
/* Read Certificate Chain */
ckch->chain = sk_X509_new_null();
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)))
@@ -3064,12 +3070,6 @@
}
#endif
- if (SSL_CTX_check_private_key(ctx) <= 0) {
- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
- err && *err ? *err : "", path);
- return 1;
- }
-
#ifndef OPENSSL_NO_DH
/* store a NULL pointer to indicate we have not yet loaded
a custom DH param file */