X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_cert.c;h=6f9fcdb350ed66caef97f81fa7d4f1fbff995e7f;hp=9a373b19ab1bab2d2de1aa48ab43d84659b3dcfb;hb=e44380a990a3edf1cd0c190c6459c8c026d53646;hpb=a71edf3ba275b946224b5bcded0a8ecfce1855c0

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 9a373b19ab..6f9fcdb350 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -914,6 +914,12 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB);
             return (0);
         }
+        /*
+         * It is valid for the chain not to be complete (because normally we
+         * don't include the root cert in the chain). Therefore we deliberately
+         * ignore the error return from this call. We're not actually verifying
+         * the cert - we're just building as much of the chain as we can
+         */
         X509_verify_cert(&xs_ctx);
         /* Don't leave errors in the queue */
         ERR_clear_error();