diff options
-rw-r--r-- | methods/connect.cc | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/methods/connect.cc b/methods/connect.cc index 63787226d..1a95e2597 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -658,15 +658,18 @@ bool UnwrapTLS(std::string Host, std::unique_ptr<MethodFd> &Fd, gnutls_certificate_allocate_credentials(&tlsFd->credentials); // Credential setup - if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0) - return _error->Error("Could not load TLS certificates: %s", - err == 0 - ? "No certificates available. Try installing ca-certificates." - : gnutls_strerror(err)); - std::string fileinfo = Owner->ConfigFind("CaInfo", ""); - if (!fileinfo.empty()) + if (fileinfo.empty()) + { + // No CaInfo specified, use system trust store. + if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0) + return _error->Error("Could not load TLS certificates: %s", + err == 0 + ? "No certificates available. Try installing ca-certificates." + : gnutls_strerror(err)); + } { + // CA location has been set, use the specified one instead gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM); if (err < 0) |