aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc-jp/README.SSL2
-rw-r--r--fm.h1
-rw-r--r--rc.c3
-rw-r--r--url.c7
4 files changed, 10 insertions, 3 deletions
diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL
index 525b5f5..99e9a42 100644
--- a/doc-jp/README.SSL
+++ b/doc-jp/README.SSL
@@ -45,6 +45,8 @@ SSL サポートについて
ssl_ca_file ファイル名
SSLの認証局のPEM形式証明書群のファイル(デフォルトは未設定,
configure時に自動検出可).
+ ssl_ca_default ON/OFF
+ SSLの認証局のPEM形式証明書群のために標準の場所を使う(デフォルトはON).
・ EGD (Entropy Gathering Daemon) が利用できる環境でこれを使いたい場合は,
USE_EGD マクロをチェックしてみてください.
diff --git a/fm.h b/fm.h
index 997574a..ab14b66 100644
--- a/fm.h
+++ b/fm.h
@@ -1187,6 +1187,7 @@ global char *ssl_cert_file init(NULL);
global char *ssl_key_file init(NULL);
global char *ssl_ca_path init(NULL);
global char *ssl_ca_file init(DEF_CAFILE);
+global int ssl_ca_default init(TRUE);
global int ssl_path_modified init(FALSE);
#endif /* defined(USE_SSL) &&
* defined(USE_SSL_VERIFY) */
diff --git a/rc.c b/rc.c
index 308bd55..c238e3e 100644
--- a/rc.c
+++ b/rc.c
@@ -203,6 +203,7 @@ static int OptionEncode = FALSE;
#define CMT_SSL_KEY_FILE N_("PEM encoded private key file of client")
#define CMT_SSL_CA_PATH N_("Path to directory for PEM encoded certificates of CAs")
#define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
+#define CMT_SSL_CA_DEFAULT N_("Use default locations for PEM encoded certificates of CAs")
#endif /* USE_SSL_VERIFY */
#define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
#ifdef SSL_CTX_set_min_proto_version
@@ -634,6 +635,8 @@ struct param_ptr params7[] = {
NULL},
{"ssl_ca_file", P_SSLPATH, PI_TEXT, (void *)&ssl_ca_file, CMT_SSL_CA_FILE,
NULL},
+ {"ssl_ca_default", P_INT, PI_ONOFF, (void *)&ssl_ca_default,
+ CMT_SSL_CA_DEFAULT, NULL},
#endif /* USE_SSL_VERIFY */
{NULL, 0, 0, NULL, NULL, NULL},
};
diff --git a/url.c b/url.c
index 685cfbf..e8f2b29 100644
--- a/url.c
+++ b/url.c
@@ -448,12 +448,13 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
char *file = NULL, *path = NULL;
if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file;
if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path;
- if (!file && !path)
- SSL_CTX_set_default_verify_paths(ssl_ctx);
- else if (!SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
+ if ((file || path)
+ && !SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
free_ssl_ctx();
goto eend;
}
+ if (ssl_ca_default)
+ SSL_CTX_set_default_verify_paths(ssl_ctx);
}
#endif /* defined(USE_SSL_VERIFY) */
#endif /* SSLEAY_VERSION_NUMBER >= 0x0800 */