From c4f588fbb7602d1c5d005a26bf4ba9d3aa3b89fa Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Sun, 28 Feb 2021 18:35:42 +0900
Subject: New option ssl_ca_default to explicitly use OpenSSL default paths

---
 doc-jp/README.SSL | 2 ++
 fm.h              | 1 +
 rc.c              | 3 +++
 url.c             | 7 ++++---
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL
index 525b5f5..99e9a42 100644
--- a/doc-jp/README.SSL
+++ b/doc-jp/README.SSL
@@ -45,6 +45,8 @@ SSL サポートについて
     ssl_ca_file ファイル名
         SSLの認証局のPEM形式証明書群のファイル(デフォルトは未設定,
         configure時に自動検出可).
+    ssl_ca_default ON/OFF
+        SSLの認証局のPEM形式証明書群のために標準の場所を使う(デフォルトはON).
 
  ・ EGD (Entropy Gathering Daemon) が利用できる環境でこれを使いたい場合は,
     USE_EGD マクロをチェックしてみてください.
diff --git a/fm.h b/fm.h
index 997574a..ab14b66 100644
--- a/fm.h
+++ b/fm.h
@@ -1187,6 +1187,7 @@ global char *ssl_cert_file init(NULL);
 global char *ssl_key_file init(NULL);
 global char *ssl_ca_path init(NULL);
 global char *ssl_ca_file init(DEF_CAFILE);
+global int ssl_ca_default init(TRUE);
 global int ssl_path_modified init(FALSE);
 #endif				/* defined(USE_SSL) &&
 				 * defined(USE_SSL_VERIFY) */
diff --git a/rc.c b/rc.c
index 308bd55..c238e3e 100644
--- a/rc.c
+++ b/rc.c
@@ -203,6 +203,7 @@ static int OptionEncode = FALSE;
 #define CMT_SSL_KEY_FILE N_("PEM encoded private key file of client")
 #define CMT_SSL_CA_PATH N_("Path to directory for PEM encoded certificates of CAs")
 #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
+#define CMT_SSL_CA_DEFAULT N_("Use default locations for PEM encoded certificates of CAs")
 #endif				/* USE_SSL_VERIFY */
 #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
 #ifdef SSL_CTX_set_min_proto_version
@@ -634,6 +635,8 @@ struct param_ptr params7[] = {
      NULL},
     {"ssl_ca_file", P_SSLPATH, PI_TEXT, (void *)&ssl_ca_file, CMT_SSL_CA_FILE,
      NULL},
+    {"ssl_ca_default", P_INT, PI_ONOFF, (void *)&ssl_ca_default,
+     CMT_SSL_CA_DEFAULT, NULL},
 #endif				/* USE_SSL_VERIFY */
     {NULL, 0, 0, NULL, NULL, NULL},
 };
diff --git a/url.c b/url.c
index 685cfbf..e8f2b29 100644
--- a/url.c
+++ b/url.c
@@ -448,12 +448,13 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	    char *file = NULL, *path = NULL;
 	    if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file;
 	    if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path;
-	    if (!file && !path)
-		SSL_CTX_set_default_verify_paths(ssl_ctx);
-	    else if (!SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
+	    if ((file || path)
+		&& !SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
 		free_ssl_ctx();
 		goto eend;
 	    }
+	    if (ssl_ca_default)
+		SSL_CTX_set_default_verify_paths(ssl_ctx);
 	}
 #endif				/* defined(USE_SSL_VERIFY) */
 #endif				/* SSLEAY_VERSION_NUMBER >= 0x0800 */
-- 
cgit v1.2.3