Validation of certificate chains will fail before dcpomatic_setup()

is called, as OpenSSL has not yet been set up.

Make sure that these failures only raise a Bad() (which nobody is yet
listening to) rather than throwing an exception which gets caught
and reported as a failed-to-load config.

If none of the OpenSSL stuff is working chain_valid() will return false
but private_key_valid() will throw an exception (as it tries to get the
leaf certificate, causing a validity check).

2 files changed, 6 insertions, 2 deletions

diff --git a/src/lib/config.cc b/src/lib/config.cc
index ea2a57939..74f916b21 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -487,11 +487,11 @@ try
 		}
 	}
 
-	if (!_signer_chain->private_key_valid() || !_signer_chain->chain_valid()) {
+	if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
 		bad = BAD_SIGNER_INCONSISTENT;
 	}
 
-	if (!_decryption_chain->private_key_valid() || !_decryption_chain->chain_valid()) {
+	if (!_decryption_chain->chain_valid() || !_decryption_chain->private_key_valid()) {
 		bad = BAD_DECRYPTION_INCONSISTENT;
 	}
 
diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc
index 73e215c04..508390a38 100644
--- a/src/tools/dcpomatic.cc
+++ b/src/tools/dcpomatic.cc
@@ -1506,6 +1506,10 @@ private:
 			*/
 			Config::drop ();
 
+			/* We only look out for bad configuration from here on, as before
+			   dcpomatic_setup() we haven't got OpenSSL ready so there will be
+			   incorrect certificate chain validity errors.
+			*/
 			Config::Bad.connect (boost::bind(&App::config_bad, this, _1));
 
 			_frame = new DOMFrame (_("DCP-o-matic"));