From c4f588fbb7602d1c5d005a26bf4ba9d3aa3b89fa Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Sun, 28 Feb 2021 18:35:42 +0900
Subject: New option ssl_ca_default to explicitly use OpenSSL default paths

---
 url.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'url.c')

diff --git a/url.c b/url.c
index 685cfbf..e8f2b29 100644
--- a/url.c
+++ b/url.c
@@ -448,12 +448,13 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	    char *file = NULL, *path = NULL;
 	    if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file;
 	    if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path;
-	    if (!file && !path)
-		SSL_CTX_set_default_verify_paths(ssl_ctx);
-	    else if (!SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
+	    if ((file || path)
+		&& !SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
 		free_ssl_ctx();
 		goto eend;
 	    }
+	    if (ssl_ca_default)
+		SSL_CTX_set_default_verify_paths(ssl_ctx);
 	}
 #endif				/* defined(USE_SSL_VERIFY) */
 #endif				/* SSLEAY_VERSION_NUMBER >= 0x0800 */
-- 
cgit v1.2.3