--sslcert{file|path} overrides default store, add environment var...

If at least one of --sslcertfile and --sslcertpath is given, fetchmail
skips loading the default OpenSSL X.509 trusted CA cert locations.

If the environment variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS is set
to a non-empty value, fetchmail will additionally load the default locations.

The old FETCHMAIL_NO_DEFAULT_X509_PATHS variable was dropped.

3 files changed, 57 insertions, 53 deletions

diff --git a/NEWS b/NEWS
index 1c2bb5da..6ed8d04c 100644
--- a/NEWS
+++ b/NEWS
@@ -67,9 +67,10 @@ fetchmail-6.3.17 (not yet released):
 * Fetchmail now supports a --sslcertfile <file> option to specify a "CA bundle"
   file (a file that contains trusted CA certificates). Since these bundled CA
   files do not require c_rehash to be run, they are easier to use and immune to
-  OpenSSL library updates. Also see CHANGES below.
-* Fetchmail now supports a FETCHMAIL_NO_DEFAULT_X509_PATHS environment variable
-  to defeat loading the default SSL CA certificate locations. Also see CHANGES.
+  OpenSSL library updates that affect the hash function.
+* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
+  environment variable to force loading the default SSL CA certificate
+  locations.
 
 # REGRESSION FIX
 * Fix string handling in rcfile scanner, which caused fetchmail to misparse a
@@ -87,11 +88,6 @@ fetchmail-6.3.17 (not yet released):
   are now helpful pointers to --sslcertpath and c_rehash for "unable to get
   local issuer certificate" and self-signed certificates -- these usually hint
   to missing root signing CAs in the certs directory.
-* Default locations: Fetchmail will now always load the SSL default trusted CA
-  certificate locations, unless the environmental variable
-  FETCHMAIL_NO_DEFAULT_X509_PATHS is set and non-empty. Fetchmail used to load
-  the default locations only if --sslcertpath was not given.
-  This is a migration aid for systems upgrading to OpenSSL 1.0.0.
 
 # DOCUMENTATION
 * Fix table of global option to read "set softbounce" where there used to be a
diff --git a/fetchmail.man b/fetchmail.man
index f6c8915f..8e1ae219 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -513,11 +513,15 @@ fetchmail versions.
 Sets the file fetchmail uses to look up local certificates.  The default is
 empty.  This can be given in addition to \fB\-\-sslcertpath\fP below, and
 certificates specified in \fB\-\-sslcertfile\fP will be processed before those
-in \fB\-\-sslcertpath\fP.  The option can be used in addition to \fB\-\-sslcertpath\fP.
+in \fB\-\-sslcertpath\fP.  The option can be used in addition to
+\fB\-\-sslcertpath\fP.
 .IP
-Note that fetchmail will always first load the default SSL trusted CA certificates file
-unless that is defeated by setting the environment variable
-.BR FETCHMAIL_NO_DEFAULT_X509_PATHS .
+The file is a text file. It contains the concatenation of trusted CA
+certificates in PEM format.
+.IP
+Note that using this option will suppress loading the default SSL trusted CA
+certificates file unless you set the environment variable
+\fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP to a non-empty value.
 .TP
 .B \-\-sslcertpath <directory>
 (Keyword: sslcertpath)
@@ -532,9 +536,9 @@ subdirectory). Also, after OpenSSL upgrades, you may need to run
 This can be given in addition to \fB\-\-sslcertfile\fP above, which see for
 precedence rules.
 .IP
-Note that fetchmail will also add the default SSL trusted CA certificates directory
-first unless defeated by setting the environment variable
-.BR FETCHMAIL_NO_DEFAULT_X509_PATHS .
+Note that using this option will suppress adding the default SSL trusted CA
+certificates directory unless you set the environment variable
+\fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP to a non-empty value.
 .TP
 .B \-\-sslcommonname <common name>
 (Keyword: sslcommonname; since v6.3.9)
@@ -2752,7 +2756,15 @@ lock file to help prevent concurrent runs (root mode, Linux systems).
 lock file to help prevent concurrent runs (root mode, systems without /var/run).
 
 .SH ENVIRONMENT
-.B FETCHMAILUSER:
+.IP \fBFETCHMAILHOME\fP
+If this environment variable is set to a valid and
+existing directory name, fetchmail will read $FETCHMAILHOME/fetchmailrc
+(the dot is missing in this case), $FETCHMAILHOME/.fetchids and
+$FETCHMAILHOME/.fetchmail.pid rather than from the user's home
+directory.  The .netrc file is always looked for in the the invoking
+user's home directory regardless of FETCHMAILHOME's setting.
+
+.IP \fBFETCHMAILUSER\fP
 If this environment variable is set, it is used as the name of the
 calling user (default local name) for purposes such as mailing error
 notifications.  Otherwise, if either the LOGNAME or USER variable is
@@ -2762,47 +2774,34 @@ then that name is used as the default local name.  Otherwise
 session ID (this elaborate logic is designed to handle the case of
 multiple names per userid gracefully).
 
-.B FETCHMAILHOME:
-If this environment variable is set to a valid and
-existing directory name, fetchmail will read $FETCHMAILHOME/fetchmailrc
-(the dot is missing in this case), $FETCHMAILHOME/.fetchids and
-$FETCHMAILHOME/.fetchmail.pid rather than from the user's home
-directory.  The .netrc file is always looked for in the the invoking
-user's home directory regardless of FETCHMAILHOME's setting.
-
-.B FETCHMAIL_NO_DEFAULT_X509_PATHS
+.IP \fBFETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS\fP
 (since v6.3.17):
-If this environment variable is set and not empty, fetchmail will NOT load the
-default X.509 trusted certificate locations for SSL/TLS CA certificates.
-Default (if variable unset or empty): load certificate locations. This is
-rarely necessary outside testing. It might be useful in conjunction with
-\fB\-\-sslcertfile\fP and \fB\-\-sslcertpath\fP in case there are broken
-certificates in the system directories and the user has no administrator
-privileges to remedy the problem.
-
-.B HOME_ETC:
+If this environment variable is set and not empty, fetchmail will always load
+the default X.509 trusted certificate locations for SSL/TLS CA certificates,
+even if \fB\-\-sslcertfile\fP and \fB\-\-sslcertpath\fP are given.  The latter locations take precedence over the system default locations.
+This is useful in case there are broken certificates in the system directories
+and the user has no administrator privileges to remedy the problem.
+
+.IP \fBHOME_ETC\fP
 If the HOME_ETC variable is set, fetchmail will read
 $HOME_ETC/.fetchmailrc instead of ~/.fetchmailrc.
 
 If HOME_ETC and FETCHMAILHOME are both set, HOME_ETC will be ignored.
 
-.B SOCKS_CONF:
+.IP \fBSOCKS_CONF\fP
 (only if SOCKS support is compiled in) this variable is used by the
 socks library to find out which configuration file it should read. Set
 this to /dev/null to bypass the SOCKS proxy.
 
 .SH SIGNALS
-If a
-\fBfetchmail\fP
-daemon is running as root, SIGUSR1 wakes it up from its sleep phase and
-forces a poll of all non-skipped servers. For compatibility reasons,
-SIGHUP can also be used in 6.3.X but may not be available in future
+If a \fBfetchmail\fP daemon is running as root, SIGUSR1 wakes it up from its
+sleep phase and forces a poll of all non-skipped servers. For compatibility
+reasons, SIGHUP can also be used in 6.3.X but may not be available in future
 fetchmail versions.
 .PP
-If
-\fBfetchmail\fP
-is running in daemon mode as non-root, use SIGUSR1 to wake it (this is
-so SIGHUP due to logout can retain the default action of killing it).
+If \fBfetchmail\fP is running in daemon mode as non-root, use SIGUSR1 to wake
+it (this is so SIGHUP due to logout can retain the default action of killing
+it).
 .PP
 Running \fBfetchmail\fP in foreground while a background fetchmail is
 running will do whichever of these is appropriate to wake it up.
diff --git a/socket.c b/socket.c
index fd42ca4c..ad479a3b 100644
--- a/socket.c
+++ b/socket.c
@@ -794,9 +794,9 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 			X509_NAME_oneline(subj, buf, sizeof(buf));
 			buf[sizeof(buf) - 1] = '\0';
 			report(stderr, GT_("This means that the root signing certificate (issued for %s) is not in the "
-						"directory of trusted CA certificates, or that c_rehash needs to be run "
-						"on that directory. For details, please "
-						"see the documentation of --sslcertpath in the manual page.\n"), buf);
+						"trusted CA certificate locations, or that c_rehash needs to be run "
+						"on the certificate directory. For details, please "
+						"see the documentation of --sslcertpath and --sslcertfile in the manual page.\n"), buf);
 			break;
 		default:
 			break;
@@ -919,19 +919,28 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
 	} else {
 		/* In this case, we do not fail if verification fails. However,
-		 *  we provide the callback for output and possible fingerprint checks. */
+		 * we provide the callback for output and possible fingerprint
+		 * checks. */
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_nock_verify_callback);
 	}
 
+	/* Check which trusted X.509 CA certificate store(s) to load */
 	{
-		char *t = getenv("FETCHMAIL_NO_DEFAULT_X509_PATHS");
+		char *tmp;
+		int want_default_cacerts = 0;
 
-		if (t == NULL || t[0] == '\0')
+		/* Load user locations if any is given */
+		if (certpath || cacertfile)
+			SSL_CTX_load_verify_locations(_ctx[sock],
+						cacertfile, certpath);
+		else
+			want_default_cacerts = 1;
+
+		tmp = getenv("FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS");
+		if (want_default_cacerts || (tmp && tmp[0])) {
 			SSL_CTX_set_default_verify_paths(_ctx[sock]);
+		}
 	}
-
-	if (certpath || cacertfile)
-		SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath);
 	
 	_ssl_context[sock] = SSL_new(_ctx[sock]);