New option ssl_ca_default to explicitly use OpenSSL default paths

2021-02-28 18:35:42 +09:00
parent ab6a035a06
commit c4f588fbb7
4 changed files with 10 additions and 3 deletions
--- a/doc-jp/README.SSL
+++ b/doc-jp/README.SSL
@@ -45,6 +45,8 @@ SSL サポートについて
    ssl_ca_file ファイル名
        SSLの認証局のPEM形式証明書群のファイル(デフォルトは未設定,
        configure時に自動検出可).
+    ssl_ca_default ON/OFF
+        SSLの認証局のPEM形式証明書群のために標準の場所を使う(デフォルトはON).

 ・ EGD (Entropy Gathering Daemon) が利用できる環境でこれを使いたい場合は,
    USE_EGD マクロをチェックしてみてください.
--- a/fm.h
+++ b/fm.h
@@ -1187,6 +1187,7 @@ global char *ssl_cert_file init(NULL);
 global char *ssl_key_file init(NULL);
 global char *ssl_ca_path init(NULL);
 global char *ssl_ca_file init(DEF_CAFILE);
+global int ssl_ca_default init(TRUE);
 global int ssl_path_modified init(FALSE);
 #endif				/* defined(USE_SSL) &&
 				 * defined(USE_SSL_VERIFY) */
--- a/rc.c
+++ b/rc.c
@@ -203,6 +203,7 @@ static int OptionEncode = FALSE;
 #define CMT_SSL_KEY_FILE N_("PEM encoded private key file of client")
 #define CMT_SSL_CA_PATH N_("Path to directory for PEM encoded certificates of CAs")
 #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
+#define CMT_SSL_CA_DEFAULT N_("Use default locations for PEM encoded certificates of CAs")
 #endif				/* USE_SSL_VERIFY */
 #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
 #ifdef SSL_CTX_set_min_proto_version
@@ -634,6 +635,8 @@ struct param_ptr params7[] = {
     NULL},
    {"ssl_ca_file", P_SSLPATH, PI_TEXT, (void *)&ssl_ca_file, CMT_SSL_CA_FILE,
     NULL},
+    {"ssl_ca_default", P_INT, PI_ONOFF, (void *)&ssl_ca_default,
+     CMT_SSL_CA_DEFAULT, NULL},
 #endif				/* USE_SSL_VERIFY */
    {NULL, 0, 0, NULL, NULL, NULL},
 };
--- a/url.c
+++ b/url.c
@@ -448,12 +448,13 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	    char *file = NULL, *path = NULL;
 	    if (ssl_ca_file && *ssl_ca_file != '\0') file = ssl_ca_file;
 	    if (ssl_ca_path && *ssl_ca_path != '\0') path = ssl_ca_path;
-	    if (!file && !path)
-		SSL_CTX_set_default_verify_paths(ssl_ctx);
-	    else if (!SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
+	    if ((file || path)
+		&& !SSL_CTX_load_verify_locations(ssl_ctx, file, path)) {
 		free_ssl_ctx();
 		goto eend;
 	    }
+	    if (ssl_ca_default)
+		SSL_CTX_set_default_verify_paths(ssl_ctx);
 	}
 #endif				/* defined(USE_SSL_VERIFY) */
 #endif				/* SSLEAY_VERSION_NUMBER >= 0x0800 */