diff --git a/src/drv_imap.c b/src/drv_imap.c index 8981bb4..e5e0621 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) #ifdef HAVE_LIBSSL server->ssl_type = -1; server->sconf.ssl_versions = -1; + server->sconf.system_certs = 1; #endif server->max_in_progress = INT_MAX; @@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) cfg->file, cfg->line, server->sconf.cert_file ); cfg->err = 1; } + } else if (!strcasecmp( "SystemCertificates", cfg->cmd )) { + server->sconf.system_certs = parse_bool( cfg ); } else if (!strcasecmp( "SSLType", cfg->cmd )) { if (!strcasecmp( "None", cfg->val )) { server->ssl_type = SSL_None; diff --git a/src/mbsync.1 b/src/mbsync.1 index 73b7853..599061e 100644 --- a/src/mbsync.1 +++ b/src/mbsync.1 @@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some servers, \fBTLSv1\fR is the default. .. .TP +\fBSystemCertificates\fR \fIyes\fR|\fIno\fR +Whether the system's default root cerificate store should be loaded. +(Default: \fIyes\fR) +.. +.TP \fBCertificateFile\fR \fIpath\fR File containing additional X.509 certificates used to verify server identities. Directly matched peer certificates are always trusted, regardless of validity. .br -Note that the system's default certificate store is always used and should -not be specified here. +Note that the system's default certificate store is always used +(unless \fBSystemCertificates\fR is disabled) +and should not be specified here. .. .TP \fBPipelineDepth\fR \fIdepth\fR diff --git a/src/socket.c b/src/socket.c index af83e09..bee11a1 100644 --- a/src/socket.c +++ b/src/socket.c @@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf ) return 0; } mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs ); - if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext )) + if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext )) warn( "Warning: Unable to load default certificate files: %s\n", ERR_error_string( ERR_get_error(), 0 ) ); diff --git a/src/socket.h b/src/socket.h index e9c3bca..78e3206 100644 --- a/src/socket.h +++ b/src/socket.h @@ -44,6 +44,7 @@ typedef struct server_conf { int port; #ifdef HAVE_LIBSSL char *cert_file; + char system_certs; char ssl_versions; /* these are actually variables and are leaked at the end */