From 497ba428052f1437187778ceb2293c8eaba5893f Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sun, 18 Apr 2010 20:22:27 +0200 Subject: Add --sslcertfile option and FETCHMAIL_NO_DEFAULT_X509_PATHS env var, and always load the default X.509 trust stores, unless the latter is set. --- socket.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'socket.c') diff --git a/socket.c b/socket.c index 2ef70961..fd42ca4c 100644 --- a/socket.c +++ b/socket.c @@ -857,7 +857,8 @@ static const char *SSLCertGetCN(const char *mycert, * uses SSL *ssl global variable, which is currently defined * in this file */ -int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, char *certpath, +int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, + char *cacertfile, char *certpath, char *fingerprint, char *servercname, char *label, char **remotename) { struct stat randstat; @@ -921,10 +922,16 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck * we provide the callback for output and possible fingerprint checks. */ SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_nock_verify_callback); } - if (certpath) - SSL_CTX_load_verify_locations(_ctx[sock], NULL, certpath); - else - SSL_CTX_set_default_verify_paths(_ctx[sock]); + + { + char *t = getenv("FETCHMAIL_NO_DEFAULT_X509_PATHS"); + + if (t == NULL || t[0] == '\0') + SSL_CTX_set_default_verify_paths(_ctx[sock]); + } + + if (certpath || cacertfile) + SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath); _ssl_context[sock] = SSL_new(_ctx[sock]); -- cgit v1.2.3