diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2021-02-28 09:35:42 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2021-02-28 09:35:42 +0000 |
| commit | c4f588fbb7602d1c5d005a26bf4ba9d3aa3b89fa (patch) | |
| tree | 7f8ef14d1109cd20712c62d740749e2025a3e856 | |
| parent | Update ChangeLog (diff) | |
| download | w3m-c4f588fbb7602d1c5d005a26bf4ba9d3aa3b89fa.tar.gz w3m-c4f588fbb7602d1c5d005a26bf4ba9d3aa3b89fa.zip | |
New option ssl_ca_default to explicitly use OpenSSL default paths
| -rw-r--r-- | doc-jp/README.SSL | 2 | ||||
| -rw-r--r-- | fm.h | 1 | ||||
| -rw-r--r-- | rc.c | 3 | ||||
| -rw-r--r-- | url.c | 7 |
4 files changed, 10 insertions, 3 deletions
diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL index 525b5f5..99e9a42 100644 --- a/doc-jp/README.SSL +++ b/doc-jp/README.SSL @@ -45,6 +45,8 @@ SSL サポートについて ssl_ca_file ファイル名 SSLの認証局のPEM形式証明書群のファイル(デフォルトは未設定, configure時に自動検出可). + ssl_ca_default ON/OFF + SSLの認証局のPEM形式証明書群のために標準の場所を使う(デフォルトはON). ・ EGD (Entropy Gathering Daemon) が利用できる環境でこれを使いたい場合は, USE_EGD マクロをチェックしてみてください. @@ -1187,6 +1187,7 @@ global char *ssl_cert_file init(NULL); global char *ssl_key_file init(NULL); global char *ssl_ca_path init(NULL); global char *ssl_ca_file init(DEF_CAFILE); +global int ssl_ca_default init(TRUE); global int ssl_path_modified init(FALSE); #endif /* defined(USE_SSL) && * defined(USE_SSL_VERIFY) */ @@ -203,6 +203,7 @@ static int OptionEncode = FALSE; #define CMT_SSL_KEY_FILE N_("PEM encoded private key file of client") #define CMT_SSL_CA_PATH N_("Path to directory for PEM encoded certificates of CAs") #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs") +#define CMT_SSL_CA_DEFAULT N_("Use default locations for PEM encoded certificates of CAs") #endif /* USE_SSL_VERIFY */ #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)") #ifdef SSL_CTX_set_min_proto_version @@ -634,6 +635,8 @@ struct param_ptr params7[] = { NULL}, {"ssl_ca_file", P_SSLPATH, PI_TEXT, (void *)&ssl_ca_file, CMT_SSL_CA_FILE, NULL}, + {"ssl_ca_default", P_INT, PI_ONOFF, (void *)&ssl_ca_default, + CMT_SSL_CA_DEFAULT, NULL}, #endif /* USE_SSL_VERIFY */ {NULL, 0, 0, NULL, NULL, NULL}, }; @@ -448,12 +448,13 @@ openSSLHandle(int sock, char *hostname, char **p_cert) char *file = NULL, *path = NULL; if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file; if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path; - if (!file && !path) - SSL_CTX_set_default_verify_paths(ssl_ctx); - else if (!SSL_CTX_load_verify_locations(ssl_ctx, file, path)) { + if ((file || path) + && !SSL_CTX_load_verify_locations(ssl_ctx, file, path)) { free_ssl_ctx(); goto eend; } + if (ssl_ca_default) + SSL_CTX_set_default_verify_paths(ssl_ctx); } #endif /* defined(USE_SSL_VERIFY) */ #endif /* SSLEAY_VERSION_NUMBER >= 0x0800 */ |