d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Look for root certificates in /usr/local/etc/ssl before /etc/ssl.

Browse Source 
MFH:	1 week
This commit is contained in:
Dag-Erling Smørgrav 2014-05-17 03:39:56 +00:00
parent 6953d7db5c
commit e9de92ad83
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=266291
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/libfetch/common.c
View File

@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
/*
* Configure peer verification based on environment.
*/
#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem"
#define BASE_CERT_FILE "/etc/ssl/cert.pem"
static int
fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
{
@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
const char *ca_cert_file, *ca_cert_path, *crl_file;
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
ca_cert_file = getenv("SSL_CA_CERT_FILE");
if (ca_cert_file == NULL &&
access(LOCAL_CERT_FILE, R_OK) == 0)
ca_cert_file = LOCAL_CERT_FILE;
if (ca_cert_file == NULL)
ca_cert_file = BASE_CERT_FILE;
ca_cert_path = getenv("SSL_CA_CERT_PATH");
if (verbose) {
fetch_info("Peer verification enabled");