--version: print default cert paths, and document SSL_CERT_* in manpage

When Gene Heskett was updating his OpenSSL on Debian oldstable, we figured
that it might be helpful to print where OpenSSL goes look for the trusted
certificate. Add this information.

Also add documentation of OpenSSL's SSL_CERT_DIR/SSL_CERT_FILE environment
variables.

5 files changed, 41 insertions, 3 deletions

diff --git a/Makefile.am b/Makefile.am
index d7d0320c..a6b74fbe 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -35,7 +35,7 @@ libfm_a_SOURCES=	xmalloc.c base64.c rfc822.c report.c rfc2047e.c \
 			smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
 			smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \
 			xmalloc.h sdump.h sdump.c x509_name_match.c \
-			fm_strl.h md5c.c
+			fm_strl.h md5c.c tls-aux.c
 
 if NTLM_ENABLE
 libfm_a_SOURCES += ntlmsubr.c
diff --git a/NEWS b/NEWS
index 517fac1a..c386abaf 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,19 @@ fetchmail-6.4.16 (not yet released):
   6.2.5 to 6.4.X duplicate suppression by entire raw header.
   Manpage bug found by Julian Bane debugging "duplicate message" behaviour.
 
+# FEATURE
+* fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS
+  library's "SSL default trusted certificate" file or directory (mind the word
+  "default"), where the OpenSSL-compatible TLS implementation will look for
+  trusted root, meaning certification authority (CA), certificates.
+  NOTE 1: watch the output carefully if the line prints the defaults
+  or the configured path (without "default").
+  NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables
+  for OpenSSL 1.1.1 to override the *default* locations (those compiled into
+  OpenSSL or possibly in its configuration file).
+  This was added when Gene Heskett was debugging his setup and the
+  information "where does OpenSSL look" was missing.
+
 # KNOWN BUGS AND WORKAROUNDS
   (This section floats upwards through the NEWS file so it stays with the
   current release information)
diff --git a/README.SSL b/README.SSL
index 6c85eb38..9cbb50ce 100644
--- a/README.SSL
+++ b/README.SSL
@@ -31,7 +31,7 @@ Use an up-to-date release of OpenSSL v1.1.1 or newer, so as to get
 TLSv1.3 support.  Older OpenSSL versions are unsupported upstream, and 
 fetchmail rejects versions before v1.0.2 and warns about versions before v1.1.1.
 
-In all four examples below, the (--)sslcertck has become redunant
+In all four examples below, the (--)sslcertck has become redundant
 since fetchmail v6.4.0 but since fetchmail 6.3 releases will be in circulation
 for a while, we'll leave it here to be safe.
 
@@ -99,8 +99,12 @@ you put the CA's certificate into a directory where you keep trusted
 certificates, and point fetchmail to it. Fetchmail will then accept 
 certificates signed by the owner of that certificate with the private key 
 belonging to the public key in the certificate.
-You can specify this path using the "sslcertpath" option if it is 
+  You can specify this path using the "sslcertpath" option if it is 
 different from the one OpenSSL uses by default.
+  Alternatively, a "bundle" file (a concatenation of trusted certificates in PEM
+form) can be given, using the "sslcertfile". 
+  fetchmail 6.4.16 and newer will print the default locations where the SSL
+library looks when run as fetchmail -V or fetchmail --version.
 
 The idea is that the CA only gives certificates to entities whose identity it 
 has checked and verified (and in this case, that the server name you specify 
diff --git a/fetchmail.c b/fetchmail.c
index 907a8bcb..e6ceb71a 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -1769,8 +1769,10 @@ static void dump_params (struct runctl *runp,
 	} else {
 	    printf(GT_("  SSL server certificate checking disabled.\n"));
 	}
+	printf(GT_("  SSL default trusted certificate file: %s\n"), get_default_cert_file());
 	if (ctl->sslcertfile != NULL)
 		printf(GT_("  SSL trusted certificate file: %s\n"), ctl->sslcertfile);
+	printf(GT_("  SSL default trusted certificate directory: %s\n"), get_default_cert_path());
 	if (ctl->sslcertpath != NULL)
 		printf(GT_("  SSL trusted certificate directory: %s\n"), ctl->sslcertpath);
 	if (ctl->sslcommonname != NULL)
diff --git a/fetchmail.man b/fetchmail.man
index d562788c..c32cada8 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -2940,6 +2940,25 @@ and HOME_ETC will be ignored.
 socks library to find out which configuration file it should read. Set
 this to /dev/null to bypass the SOCKS proxy.
 
+.IP \fBSSL_CERT_DIR\fP
+(with truly OpenSSL 1.1.1 compatible library): overrides OpenSSL's idea
+of the default trust directory or path (which contains individual certificate
+files and hashed symlinks), see the SSL_CTX_set_default_verify_paths(3)
+manual page for details, it may be in the openssl development package.
+If using another library's OpenSSL compatibility interface, this may not work.
+Since this variable only specifies a default value, the option \-\-sslcertpath
+takes precedence if given.
+
+.IP \fBSSL_CERT_FILE\fP
+(with truly OpenSSL 1.1.1 compatible library): overrides OpenSSL's idea
+of the default trust certificate bundle file (which contains a concatenation
+of base64-encoded certificates in PEM format), see the
+SSL_CTX_set_default_verify_paths(3) manual page
+for details, it may be in the openssl development package.
+If using another library's OpenSSL compatibility interface, this may not work.
+Since this variable only specifies a default value, the option \-\-sslcertfile
+takes precedence if given.
+
 .SH SIGNALS
 If a \fBfetchmail\fP daemon is running as root, SIGUSR1 wakes it up from its
 sleep phase and forces a poll of all non-skipped servers. For compatibility