From 58a1a72988e9280343821243217c1fc7d5ddea46 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Thu, 29 Jun 2017 15:30:12 +0200 Subject: http: Only use system CA store if CaInfo is not set It turns out that curl only sets the system trust store if the CaInfo option is not set, so let's do the same here. --- methods/connect.cc | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'methods') diff --git a/methods/connect.cc b/methods/connect.cc index 63787226d..1a95e2597 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -658,15 +658,18 @@ bool UnwrapTLS(std::string Host, std::unique_ptr &Fd, gnutls_certificate_allocate_credentials(&tlsFd->credentials); // Credential setup - if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0) - return _error->Error("Could not load TLS certificates: %s", - err == 0 - ? "No certificates available. Try installing ca-certificates." - : gnutls_strerror(err)); - std::string fileinfo = Owner->ConfigFind("CaInfo", ""); - if (!fileinfo.empty()) + if (fileinfo.empty()) + { + // No CaInfo specified, use system trust store. + if ((err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials)) <= 0) + return _error->Error("Could not load TLS certificates: %s", + err == 0 + ? "No certificates available. Try installing ca-certificates." + : gnutls_strerror(err)); + } { + // CA location has been set, use the specified one instead gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM); if (err < 0) -- cgit v1.2.3