Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 May 2014 03:39:57 +0000 (UTC)
From:      Dag-Erling Smørgrav <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r266291 - head/lib/libfetch
Message-ID:  <201405170339.s4H3dv2j050943@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: des
Date: Sat May 17 03:39:56 2014
New Revision: 266291
URL: http://svnweb.freebsd.org/changeset/base/266291

Log:
  Look for root certificates in /usr/local/etc/ssl before /etc/ssl.
  
  MFH:	1 week

Modified:
  head/lib/libfetch/common.c

Modified: head/lib/libfetch/common.c
==============================================================================
--- head/lib/libfetch/common.c	Sat May 17 03:28:43 2014	(r266290)
+++ head/lib/libfetch/common.c	Sat May 17 03:39:56 2014	(r266291)
@@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX 
 /*
  * Configure peer verification based on environment.
  */
+#define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
+#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
 static int
 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 {
@@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT
 	const char *ca_cert_file, *ca_cert_path, *crl_file;
 
 	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
-		ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
-		    getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
+		ca_cert_file = getenv("SSL_CA_CERT_FILE");
+		if (ca_cert_file == NULL &&
+		    access(LOCAL_CERT_FILE, R_OK) == 0)
+			ca_cert_file = LOCAL_CERT_FILE;
+		if (ca_cert_file == NULL)
+			ca_cert_file = BASE_CERT_FILE;
 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
 		if (verbose) {
 			fetch_info("Peer verification enabled");



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405170339.s4H3dv2j050943>