diff options
author | Julian Andres Klode <jak@debian.org> | 2017-06-29 15:30:12 +0200 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2017-06-29 16:12:40 +0200 |
commit | 58a1a72988e9280343821243217c1fc7d5ddea46 (patch) | |
tree | 9ccc6869a28ff7ed29e38d8f4b2cc399199546ee | |
parent | 22ee196fb90997f9265dd9344054cb4f43f2046e (diff) |
http: Only use system CA store if CaInfo is not set
It turns out that curl only sets the system trust store if
the CaInfo option is not set, so let's do the same here.
-rw-r--r-- | methods/connect.cc | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/methods/connect.cc b/methods/connect.cc index 63787226d..1a95e2597 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -658,15 +658,18 @@ bool UnwrapTLS(std::string Host, std::unique_ptr<MethodFd> &Fd, gnutls_certificate_allocate_credentials(&tlsFd->credentials); // Credential setup - if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0) - return _error->Error("Could not load TLS certificates: %s", - err == 0 - ? "No certificates available. Try installing ca-certificates." - : gnutls_strerror(err)); - std::string fileinfo = Owner->ConfigFind("CaInfo", ""); - if (!fileinfo.empty()) + if (fileinfo.empty()) + { + // No CaInfo specified, use system trust store. + if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0) + return _error->Error("Could not load TLS certificates: %s", + err == 0 + ? "No certificates available. Try installing ca-certificates." + : gnutls_strerror(err)); + } { + // CA location has been set, use the specified one instead gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM); if (err < 0) |