Don't use decryption_failed alert for TLS v1.1 or later.

[openssl.git] / ssl / ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index ccb30e0760d20e04d64a4c2d87692af996502b1e..27256eea8145455f5e0ec89bc23c78e8736c49b7 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -502,9 +502,6 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
                return(0);
                }
-       if (s->param)
-               X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(&ctx),
-                                               s->param);
 #if 0
        if (SSL_get_verify_depth(s) >= 0)
                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
@@ -518,6 +515,10 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
 
        X509_STORE_CTX_set_default(&ctx,
                                s->server ? "ssl_client" : "ssl_server");
+       /* Anything non-default in "param" should overwrite anything in the
+        * ctx.
+        */
+       X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
 
        if (s->verify_callback)
                X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
@@ -754,6 +755,8 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                        sk_X509_NAME_push(stack,xn);
                }
 
+       ERR_clear_error();
+
        if (0)
                {
 err: