Add --sslcertfile option and FETCHMAIL_NO_DEFAULT_X509_PATHS env var,

and always load the default X.509 trust stores, unless the latter is set.

1 files changed, 12 insertions, 5 deletions

diff --git a/socket.c b/socket.c
index 2ef70961..fd42ca4c 100644
--- a/socket.c
+++ b/socket.c
@@ -857,7 +857,8 @@ static const char *SSLCertGetCN(const char *mycert,
  * uses SSL *ssl global variable, which is currently defined
  * in this file
  */
-int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, char *certpath,
+int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck,
+    char *cacertfile, char *certpath,
     char *fingerprint, char *servercname, char *label, char **remotename)
 {
         struct stat randstat;
@@ -921,10 +922,16 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		 *  we provide the callback for output and possible fingerprint checks. */
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_nock_verify_callback);
 	}
-	if (certpath)
-		SSL_CTX_load_verify_locations(_ctx[sock], NULL, certpath);
-	else
-		SSL_CTX_set_default_verify_paths(_ctx[sock]);
+
+	{
+		char *t = getenv("FETCHMAIL_NO_DEFAULT_X509_PATHS");
+
+		if (t == NULL || t[0] == '\0')
+			SSL_CTX_set_default_verify_paths(_ctx[sock]);
+	}
+
+	if (certpath || cacertfile)
+		SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath);
 	
 	_ssl_context[sock] = SSL_new(_ctx[sock]);