summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2017-06-29 15:30:12 +0200
committerJulian Andres Klode <jak@debian.org>2017-06-29 16:12:40 +0200
commit58a1a72988e9280343821243217c1fc7d5ddea46 (patch)
tree9ccc6869a28ff7ed29e38d8f4b2cc399199546ee
parent22ee196fb90997f9265dd9344054cb4f43f2046e (diff)
http: Only use system CA store if CaInfo is not set
It turns out that curl only sets the system trust store if the CaInfo option is not set, so let's do the same here.
-rw-r--r--methods/connect.cc17
1 files changed, 10 insertions, 7 deletions
diff --git a/methods/connect.cc b/methods/connect.cc
index 63787226d..1a95e2597 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -658,15 +658,18 @@ bool UnwrapTLS(std::string Host, std::unique_ptr<MethodFd> &Fd,
gnutls_certificate_allocate_credentials(&tlsFd->credentials);
// Credential setup
- if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0)
- return _error->Error("Could not load TLS certificates: %s",
- err == 0
- ? "No certificates available. Try installing ca-certificates."
- : gnutls_strerror(err));
-
std::string fileinfo = Owner->ConfigFind("CaInfo", "");
- if (!fileinfo.empty())
+ if (fileinfo.empty())
+ {
+ // No CaInfo specified, use system trust store.
+ if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0)
+ return _error->Error("Could not load TLS certificates: %s",
+ err == 0
+ ? "No certificates available. Try installing ca-certificates."
+ : gnutls_strerror(err));
+ }
{
+ // CA location has been set, use the specified one instead
gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM);
if (err < 0)