sipp11
/
mbsync
mirror of https://git.code.sf.net/p/isync/isync
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

make it possible to disable usage of system cert store

wip/server-refactor
Oswald Buddenhagen 10 years ago
parent
7822bd8a91
commit
aba3524d9b
4 changed files with 13 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      src/drv_imap.c
  2. 10
      src/mbsync.1
  3. 2
      src/socket.c
  4. 1
      src/socket.h

3
src/drv_imap.c
Unescape View File

@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
server->ssl_type = -1; server->ssl_type = -1;
server->sconf.ssl_versions = -1; server->sconf.ssl_versions = -1;
server->sconf.system_certs = 1;
#endif #endif
server->max_in_progress = INT_MAX; server->max_in_progress = INT_MAX;
@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line, server->sconf.cert_file ); cfg->file, cfg->line, server->sconf.cert_file );
cfg->err = 1; cfg->err = 1;
} }
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
server->sconf.system_certs = parse_bool( cfg );
} else if (!strcasecmp( "SSLType", cfg->cmd )) { } else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) { if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None; server->ssl_type = SSL_None;

10
src/mbsync.1
Unescape View File

@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
servers, \fBTLSv1\fR is the default. servers, \fBTLSv1\fR is the default.
.. ..
.TP .TP
\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
Whether the system's default root cerificate store should be loaded.
(Default: \fIyes\fR)
..
.TP
\fBCertificateFile\fR \fIpath\fR \fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server File containing additional X.509 certificates used to verify server
identities. Directly matched peer certificates are always trusted, identities. Directly matched peer certificates are always trusted,
regardless of validity. regardless of validity.
.br .br
Note that the system's default certificate store is always used and should Note that the system's default certificate store is always used
not be specified here. (unless \fBSystemCertificates\fR is disabled)
and should not be specified here.
.. ..
.TP .TP
\fBPipelineDepth\fR \fIdepth\fR \fBPipelineDepth\fR \fIdepth\fR

2
src/socket.c
Unescape View File

@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0; return 0;
} }
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs ); mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext )) if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
warn( "Warning: Unable to load default certificate files: %s\n", warn( "Warning: Unable to load default certificate files: %s\n",
ERR_error_string( ERR_get_error(), 0 ) ); ERR_error_string( ERR_get_error(), 0 ) );

1
src/socket.h
Unescape View File

@ -44,6 +44,7 @@ typedef struct server_conf {
int port; int port;
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
char *cert_file; char *cert_file;
char system_certs;
char ssl_versions; char ssl_versions;
/* these are actually variables and are leaked at the end */ /* these are actually variables and are leaked at the end */

Write Preview
Loading…
Cancel
Save