Do not display a CT log error message if CT validation is disabled

[openssl.git] / apps / s_client.c

diff --git a/apps/s_client.c b/apps/s_client.c
index a1ef64b13fe4da4f72472dfb7a8cad695c27259d..cf238c795b13e1e0eef4004b63f38c58e39c2e62 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -445,7 +445,7 @@ static char *srtp_profiles = NULL;
 /* This the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
     unsigned char *data;
-    unsigned short len;
+    size_t len;
     int status;
 } tlsextnextprotoctx;
 
@@ -1634,7 +1634,7 @@ int s_client_main(int argc, char **argv)
         SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
 #endif
     if (alpn_in) {
-        unsigned short alpn_len;
+        size_t alpn_len;
         unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
 
         if (alpn == NULL) {
@@ -1669,9 +1669,19 @@ int s_client_main(int argc, char **argv)
         goto end;
     }
 
-    if (ctx_set_ctlog_list_file(ctx, ctlog_file) <= 0) {
-        ERR_print_errors(bio_err);
-        goto end;
+    if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
+        if (ct_validation != NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        /*
+         * If CT validation is not enabled, the log list isn't needed so don't
+         * show errors or abort. We try to load it regardless because then we
+         * can show the names of the logs any SCTs came from (SCTs may be seen
+         * even with validation disabled).
+         */
+        ERR_clear_error();
     }
 #endif