From e9de92ad83d63a83665a5faa7197ed2e7d6cf379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Sat, 17 May 2014 03:39:56 +0000 Subject: [PATCH] Look for root certificates in /usr/local/etc/ssl before /etc/ssl. MFH: 1 week --- lib/libfetch/common.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index 5cc7e263b0c5..3f8ef3b36325 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) /* * Configure peer verification based on environment. */ +#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" +#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) const char *ca_cert_file, *ca_cert_path, *crl_file; if (getenv("SSL_NO_VERIFY_PEER") == NULL) { - ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ? - getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem"; + ca_cert_file = getenv("SSL_CA_CERT_FILE"); + if (ca_cert_file == NULL && + access(LOCAL_CERT_FILE, R_OK) == 0) + ca_cert_file = LOCAL_CERT_FILE; + if (ca_cert_file == NULL) + ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");