BUG/MINOR: ssl: allow duplicate certificates in ca-file directories
It looks like OpenSSL 1.0.2 returns an error when trying to insert a
certificate whis is already present in a X509_STORE.
This patch simply ignores the X509_R_CERT_ALREADY_IN_HASH_TABLE error if
emitted.
Should fix part of issue #1780.
Must be backported in 2.6.
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 0f430a4..b0bd7bd 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1201,6 +1201,8 @@
BIO *in = NULL;
X509 *ca = NULL;;
+ ERR_clear_error();
+
/* we try to load the files that would have
* been loaded in an hashed directory loaded by
* X509_LOOKUP_hash_dir, so according to "man 1
@@ -1229,8 +1231,12 @@
if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL)
goto scandir_err;
- if (X509_STORE_add_cert(store, ca) == 0)
- goto scandir_err;
+ if (X509_STORE_add_cert(store, ca) == 0) {
+ /* only exits on error if the error is not about duplicate certificates */
+ if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
+ goto scandir_err;
+ }
+ }
X509_free(ca);
BIO_free(in);