diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 59254218c9..4e4a2cd4ac 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.98 2007/10/03 13:57:52 mha Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.99 2007/10/03 15:12:45 tgl Exp $
*
* NOTES
* [ Most of these notes are wrong/obsolete, but perhaps not all ]
@@ -588,8 +588,8 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
#ifndef WIN32
struct stat buf2;
-#endif
FILE *fp;
+#endif
char fnbuf[MAXPGPATH];
BIO *bio;
PGconn *conn = (PGconn *) SSL_get_app_data(ssl);
@@ -602,27 +602,32 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
return 0;
}
- /* save OpenSSL error stack */
- ERR_set_mark();
-
/* read the user certificate */
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
/*
- * OpenSSL <= 0.8.2 lacks error stack handling. Do a separate check
- * for the existance of the file without using BIO functions to make
- * it pick up the majority of the cases with the old versions.
+ * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely
+ * to report wrong error messages if access to the cert file fails.
+ * Do our own check for the readability of the file to catch the
+ * majority of such problems before OpenSSL gets involved.
*/
#ifndef HAVE_ERR_SET_MARK
- if ((fp = fopen(fnbuf, "r")) == NULL)
{
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not open certificate file \"%s\": %s\n"),
- fnbuf, pqStrerror(errno, sebuf, sizeof(sebuf)));
- return 0;
+ FILE *fp2;
+
+ if ((fp2 = fopen(fnbuf, "r")) == NULL)
+ {
+ printfPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("could not open certificate file \"%s\": %s\n"),
+ fnbuf, pqStrerror(errno, sebuf, sizeof(sebuf)));
+ return 0;
+ }
+ fclose(fp2);
}
- fclose(fp);
#endif
+
+ /* save OpenSSL error stack */
+ ERR_set_mark();
if ((bio = BIO_new_file(fnbuf, "r")) == NULL)
{