From owner-svn-src-all@FreeBSD.ORG Sat May 17 03:39:57 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5C22CCEB; Sat, 17 May 2014 03:39:57 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49B8827A1; Sat, 17 May 2014 03:39:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s4H3dvDo050944; Sat, 17 May 2014 03:39:57 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s4H3dv2j050943; Sat, 17 May 2014 03:39:57 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201405170339.s4H3dv2j050943@svn.freebsd.org> From: Dag-Erling Smørgrav Date: Sat, 17 May 2014 03:39:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r266291 - head/lib/libfetch X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 03:39:57 -0000 Author: des Date: Sat May 17 03:39:56 2014 New Revision: 266291 URL: http://svnweb.freebsd.org/changeset/base/266291 Log: Look for root certificates in /usr/local/etc/ssl before /etc/ssl. MFH: 1 week Modified: head/lib/libfetch/common.c Modified: head/lib/libfetch/common.c ============================================================================== --- head/lib/libfetch/common.c Sat May 17 03:28:43 2014 (r266290) +++ head/lib/libfetch/common.c Sat May 17 03:39:56 2014 (r266291) @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX /* * Configure peer verification based on environment. */ +#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" +#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT const char *ca_cert_file, *ca_cert_path, *crl_file; if (getenv("SSL_NO_VERIFY_PEER") == NULL) { - ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ? - getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem"; + ca_cert_file = getenv("SSL_CA_CERT_FILE"); + if (ca_cert_file == NULL && + access(LOCAL_CERT_FILE, R_OK) == 0) + ca_cert_file = LOCAL_CERT_FILE; + if (ca_cert_file == NULL) + ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");