New option ssl_ca_default to explicitly use OpenSSL default paths
This commit is contained in:
Tatsuya Kinoshita
@@ -45,6 +45,8 @@ SSL サポートについて
|
|||||||
ssl_ca_file ファイル名
|
ssl_ca_file ファイル名
|
||||||
SSLの認証局のPEM形式証明書群のファイル(デフォルトは未設定,
|
SSLの認証局のPEM形式証明書群のファイル(デフォルトは未設定,
|
||||||
configure時に自動検出可).
|
configure時に自動検出可).
|
||||||
|
ssl_ca_default ON/OFF
|
||||||
|
SSLの認証局のPEM形式証明書群のために標準の場所を使う(デフォルトはON).
|
||||||
|
|
||||||
・ EGD (Entropy Gathering Daemon) が利用できる環境でこれを使いたい場合は,
|
・ EGD (Entropy Gathering Daemon) が利用できる環境でこれを使いたい場合は,
|
||||||
USE_EGD マクロをチェックしてみてください.
|
USE_EGD マクロをチェックしてみてください.
|
||||||
|
|||||||
@@ -1187,6 +1187,7 @@ global char *ssl_cert_file init(NULL);
|
|||||||
global char *ssl_key_file init(NULL);
|
global char *ssl_key_file init(NULL);
|
||||||
global char *ssl_ca_path init(NULL);
|
global char *ssl_ca_path init(NULL);
|
||||||
global char *ssl_ca_file init(DEF_CAFILE);
|
global char *ssl_ca_file init(DEF_CAFILE);
|
||||||
|
global int ssl_ca_default init(TRUE);
|
||||||
global int ssl_path_modified init(FALSE);
|
global int ssl_path_modified init(FALSE);
|
||||||
#endif /* defined(USE_SSL) &&
|
#endif /* defined(USE_SSL) &&
|
||||||
* defined(USE_SSL_VERIFY) */
|
* defined(USE_SSL_VERIFY) */
|
||||||
|
|||||||
@@ -203,6 +203,7 @@ static int OptionEncode = FALSE;
|
|||||||
#define CMT_SSL_KEY_FILE N_("PEM encoded private key file of client")
|
#define CMT_SSL_KEY_FILE N_("PEM encoded private key file of client")
|
||||||
#define CMT_SSL_CA_PATH N_("Path to directory for PEM encoded certificates of CAs")
|
#define CMT_SSL_CA_PATH N_("Path to directory for PEM encoded certificates of CAs")
|
||||||
#define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
|
#define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
|
||||||
|
#define CMT_SSL_CA_DEFAULT N_("Use default locations for PEM encoded certificates of CAs")
|
||||||
#endif /* USE_SSL_VERIFY */
|
#endif /* USE_SSL_VERIFY */
|
||||||
#define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
|
#define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
|
||||||
#ifdef SSL_CTX_set_min_proto_version
|
#ifdef SSL_CTX_set_min_proto_version
|
||||||
@@ -634,6 +635,8 @@ struct param_ptr params7[] = {
|
|||||||
NULL},
|
NULL},
|
||||||
{"ssl_ca_file", P_SSLPATH, PI_TEXT, (void *)&ssl_ca_file, CMT_SSL_CA_FILE,
|
{"ssl_ca_file", P_SSLPATH, PI_TEXT, (void *)&ssl_ca_file, CMT_SSL_CA_FILE,
|
||||||
NULL},
|
NULL},
|
||||||
|
{"ssl_ca_default", P_INT, PI_ONOFF, (void *)&ssl_ca_default,
|
||||||
|
CMT_SSL_CA_DEFAULT, NULL},
|
||||||
#endif /* USE_SSL_VERIFY */
|
#endif /* USE_SSL_VERIFY */
|
||||||
{NULL, 0, 0, NULL, NULL, NULL},
|
{NULL, 0, 0, NULL, NULL, NULL},
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -448,12 +448,13 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
|
|||||||
char *file = NULL, *path = NULL;
|
char *file = NULL, *path = NULL;
|
||||||
if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file;
|
if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file;
|
||||||
if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path;
|
if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path;
|
||||||
if (!file && !path)
|
if ((file || path)
|
||||||
SSL_CTX_set_default_verify_paths(ssl_ctx);
|
&& !SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
|
||||||
else if (!SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
|
|
||||||
free_ssl_ctx();
|
free_ssl_ctx();
|
||||||
goto eend;
|
goto eend;
|
||||||
}
|
}
|
||||||
|
if (ssl_ca_default)
|
||||||
|
SSL_CTX_set_default_verify_paths(ssl_ctx);
|
||||||
}
|
}
|
||||||
#endif /* defined(USE_SSL_VERIFY) */
|
#endif /* defined(USE_SSL_VERIFY) */
|
||||||
#endif /* SSLEAY_VERSION_NUMBER >= 0x0800 */
|
#endif /* SSLEAY_VERSION_NUMBER >= 0x0800 */
|
||||||
|
|||||||
Reference in New Issue
Block a user