Loading certs via file: scheme only works for absolute paths and fails silently on error #27461
Description
#3542 added to the documentation (in OSSL_STORE_LOADER.pod):
The B<file:> scheme has built in support.
#8442 introduced the following documentation text regarding to the -CAstore option of many apps to openssl.pod:
=item B<-CAstore> I<uri>
Use I<uri> as a store of trusted CA certificates. The URI may
indicate a single certificate, as well as a collection of them.
With URIs in the C<file:> scheme, this acts as B<-CAfile> or
B<-CApath>, depending on if the URI indicates a single file or
directory.
See L<ossl_store-file(7)> for more information on the C<file:> scheme.
from which it got moved later to openssl-verification-options.pod.
Similarly, the following text was added regarding the -chainCAstore option to openssl-s_server.pod.in:
=item B<-chainCAstore> I<uri>
The URI to a store to use for building the chain provided to the client.
The URI may indicate a single certificate, as well as a collection of
them.
With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
B<-chainCApath>, depending on if the URI indicates a directory or a
single file.
See L<ossl_store-file(7)> for more information on the C<file:> scheme.
which got later copied for consistency also to openssl-s_client.pod.in.
Yet this does not really work.
For instance, when using s_client with -CAfile and the explicit file: scheme with an existing file,
such as file:test/certs/root-cert.pem, one gets:
80CC5EF401000000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(file:test/certs/root-cert.pem, r)
And with the -CAstore option, when using the same argument or just test/certs/root-cert.pem, the option gets ignored entirely (which can be seen also by referencing a non-existing file).