From 3f46ac548c57d8632b4d75ebb6e1b9f46577525c Mon Sep 17 00:00:00 2001
From: Syeda Persia Aziz <persia.aziz@yahoo.com>
Date: Thu, 14 Jun 2018 13:39:26 -0500
Subject: [PATCH] set verify locations in the initializer function only

---
 iocore/net/SSLClientUtils.cc    | 18 ++++++++----------
 iocore/net/SSLNetVConnection.cc |  7 -------
 2 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 367f63496d2..139ba065c07 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -164,19 +164,17 @@ SSLInitClientContext(const SSLConfigParams *params)
   if (params->clientVerify) {
     SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback);
     SSL_CTX_set_verify_depth(client_ctx, params->client_verify_depth);
+  }
 
-    if (params->clientCACertFilename != nullptr || params->clientCACertPath != nullptr) {
-      if (!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath)) {
-        SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename,
-                 params->clientCACertPath);
-        goto fail;
-      }
-    }
-
-    if (!SSL_CTX_set_default_verify_paths(client_ctx)) {
-      SSLError("failed to set the default verify paths");
+  if (params->clientCACertFilename != nullptr || params->clientCACertPath != nullptr) {
+    if (!SSL_CTX_load_verify_locations(client_ctx, params->clientCACertFilename, params->clientCACertPath)) {
+      SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename,
+               params->clientCACertPath);
       goto fail;
     }
+  } else if (!SSL_CTX_set_default_verify_paths(client_ctx)) {
+    SSLError("failed to set the default verify paths");
+    goto fail;
   }
 
   if (SSLConfigParams::init_ssl_ctx_cb) {
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 6638f00bd4a..02440a84b84 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1013,13 +1013,6 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
         SSLErrorVC(this, "failed to create SSL client session");
         return EVENT_ERROR;
       }
-      if (clientVerify && params->clientCACertFilename != nullptr && params->clientCACertPath != nullptr) {
-        if (!SSL_CTX_load_verify_locations(clientCTX, params->clientCACertFilename, params->clientCACertPath)) {
-          SSLError("invalid client CA Certificate file (%s) or CA Certificate path (%s)", params->clientCACertFilename,
-                   params->clientCACertPath);
-          return EVENT_ERROR;
-        }
-      }
 
       this->ssl = make_ssl_connection(clientCTX, this);
       if (this->ssl == nullptr) {