From e87f96bd9730e2bdb407d0a9cca2a05ee0dabce5 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 23 Apr 2010 01:40:04 +0200 Subject: --sslcert{file|path} overrides default store, add environment var... If at least one of --sslcertfile and --sslcertpath is given, fetchmail skips loading the default OpenSSL X.509 trusted CA cert locations. If the environment variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS is set to a non-empty value, fetchmail will additionally load the default locations. The old FETCHMAIL_NO_DEFAULT_X509_PATHS variable was dropped. --- socket.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'socket.c') diff --git a/socket.c b/socket.c index fd42ca4c..ad479a3b 100644 --- a/socket.c +++ b/socket.c @@ -794,9 +794,9 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) X509_NAME_oneline(subj, buf, sizeof(buf)); buf[sizeof(buf) - 1] = '\0'; report(stderr, GT_("This means that the root signing certificate (issued for %s) is not in the " - "directory of trusted CA certificates, or that c_rehash needs to be run " - "on that directory. For details, please " - "see the documentation of --sslcertpath in the manual page.\n"), buf); + "trusted CA certificate locations, or that c_rehash needs to be run " + "on the certificate directory. For details, please " + "see the documentation of --sslcertpath and --sslcertfile in the manual page.\n"), buf); break; default: break; @@ -919,19 +919,28 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); } else { /* In this case, we do not fail if verification fails. However, - * we provide the callback for output and possible fingerprint checks. */ + * we provide the callback for output and possible fingerprint + * checks. */ SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_nock_verify_callback); } + /* Check which trusted X.509 CA certificate store(s) to load */ { - char *t = getenv("FETCHMAIL_NO_DEFAULT_X509_PATHS"); + char *tmp; + int want_default_cacerts = 0; - if (t == NULL || t[0] == '\0') + /* Load user locations if any is given */ + if (certpath || cacertfile) + SSL_CTX_load_verify_locations(_ctx[sock], + cacertfile, certpath); + else + want_default_cacerts = 1; + + tmp = getenv("FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS"); + if (want_default_cacerts || (tmp && tmp[0])) { SSL_CTX_set_default_verify_paths(_ctx[sock]); + } } - - if (certpath || cacertfile) - SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath); _ssl_context[sock] = SSL_new(_ctx[sock]); -- cgit v1.2.3