Browse Source

make it possible to disable usage of system cert store

wip/server-refactor
Oswald Buddenhagen 11 years ago
parent
commit
aba3524d9b
  1. 3
      src/drv_imap.c
  2. 10
      src/mbsync.1
  3. 2
      src/socket.c
  4. 1
      src/socket.h

3
src/drv_imap.c

@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
server->ssl_type = -1; server->ssl_type = -1;
server->sconf.ssl_versions = -1; server->sconf.ssl_versions = -1;
server->sconf.system_certs = 1;
#endif #endif
server->max_in_progress = INT_MAX; server->max_in_progress = INT_MAX;
@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line, server->sconf.cert_file ); cfg->file, cfg->line, server->sconf.cert_file );
cfg->err = 1; cfg->err = 1;
} }
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
server->sconf.system_certs = parse_bool( cfg );
} else if (!strcasecmp( "SSLType", cfg->cmd )) { } else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) { if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None; server->ssl_type = SSL_None;

10
src/mbsync.1

@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
servers, \fBTLSv1\fR is the default. servers, \fBTLSv1\fR is the default.
.. ..
.TP .TP
\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
Whether the system's default root cerificate store should be loaded.
(Default: \fIyes\fR)
..
.TP
\fBCertificateFile\fR \fIpath\fR \fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server File containing additional X.509 certificates used to verify server
identities. Directly matched peer certificates are always trusted, identities. Directly matched peer certificates are always trusted,
regardless of validity. regardless of validity.
.br .br
Note that the system's default certificate store is always used and should Note that the system's default certificate store is always used
not be specified here. (unless \fBSystemCertificates\fR is disabled)
and should not be specified here.
.. ..
.TP .TP
\fBPipelineDepth\fR \fIdepth\fR \fBPipelineDepth\fR \fIdepth\fR

2
src/socket.c

@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0; return 0;
} }
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs ); mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext )) if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
warn( "Warning: Unable to load default certificate files: %s\n", warn( "Warning: Unable to load default certificate files: %s\n",
ERR_error_string( ERR_get_error(), 0 ) ); ERR_error_string( ERR_get_error(), 0 ) );

1
src/socket.h

@ -44,6 +44,7 @@ typedef struct server_conf {
int port; int port;
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
char *cert_file; char *cert_file;
char system_certs;
char ssl_versions; char ssl_versions;
/* these are actually variables and are leaked at the end */ /* these are actually variables and are leaked at the end */

Loading…
Cancel
Save