diff options
| -rw-r--r-- | INSTALL | 18 | ||||
| -rw-r--r-- | configure.ac | 5 | ||||
| -rw-r--r-- | socket.c | 34 |
3 files changed, 52 insertions, 5 deletions
@@ -51,6 +51,8 @@ with all OpenSSL APIs (as of 5.0.0): ./configure --enable-opensslall --enable-harden make && make test && make install +fetchmail's configure option --with-wolfssl takes precedence over --with-ssl. + 1.2 gettext (internationalization) Internationalization of fetchmail requires GNU gettext (libintl and @@ -89,7 +91,21 @@ configure option '--with-included-gettext'. Installing fetchmail is easy. From within this directory, type: - ./configure +When using OpenSSL: + + ./configure + +When using wolfSSL (adjust the location, see below): + + ./configure --with-wolfssl \ + WOLFSSL_TRUST_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + +Here, you need to adjust the file path according to where your ca_cert_nss or +ca-certificates package installs the default trust bundle in PEM format with +BEGIN CERTIFICATE lines. Some typical locations as of 2021 are: +on Fedora Linux: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem +on Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt +on FreeBSD: /usr/local/share/certs/ca-root-nss.crt The autoconfiguration script will spend a bit of time figuring out the specifics of your system. If you want to specify a particular compiler diff --git a/configure.ac b/configure.ac index 14d8c8ab..533bb05c 100644 --- a/configure.ac +++ b/configure.ac @@ -760,6 +760,11 @@ if test "$with_wolfssl" != "no" ; then AC_DEFINE(SSL_ENABLE, 1) AS_MESSAGE(Enabling SSL support through wolfSSL.) with_ssl=yes + if test -z "$WOLFSSL_TRUST_FILE" ; then + AC_MSG_ERROR([You must define WOLFSSL_TRUST_FILE and point it to the default CA certificate file (PEM format)]) + fi + AC_DEFINE_UNQUOTED(WOLFSSL_TRUST_FILE, "$WOLFSSL_TRUST_FILE", + [Set to the default file of trusted certificates.]) else ### use option --with-ssl to compile in the SSL support @@ -1178,17 +1178,43 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck { char *tmp; int want_default_cacerts = 0; + int r = 1; + const char *l1 = 0, *l2 = 0; /* Load user locations if any is given */ - if (certpath || cacertfile) - SSL_CTX_load_verify_locations(_ctx[sock], + if (certpath || cacertfile) { + l1 = cacertfile; + l2 = certpath; + r = SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath); - else + if (1 != r) goto no_verify_load; + } else { want_default_cacerts = 1; + } tmp = getenv("FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS"); if (want_default_cacerts || (tmp && tmp[0])) { - SSL_CTX_set_default_verify_paths(_ctx[sock]); +#ifdef USING_WOLFSSL + /* wolfSSL 5.0.0 does not implement + * SSL_CTX_set_default_verify_paths(). Use something + * else: */ + const char *tmp = WOLFSSL_TRUST_FILE; + l1 = tmp; l2=NULL; + if (*tmp) + r = SSL_CTX_load_verify_locations(_ctx[sock], + tmp, NULL); +#else + r = SSL_CTX_set_default_verify_paths(_ctx[sock]); + if (1 != r) goto no_verify_load; +#endif + } + + if (1 != r) { +no_verify_load: + report(stderr, GT_("Cannot load verify locations (file=\"%s\", dir=\"%s\"), error %d:\n"), + l1?l1:"(null)", l2?l2:"(null)", r); + ERR_print_errors_fp(stderr); + return -1; } } |