Browse Source

make it possible to disable usage of system cert store

wip/server-refactor
Oswald Buddenhagen 10 years ago
parent
commit
aba3524d9b
  1. 3
      src/drv_imap.c
  2. 10
      src/mbsync.1
  3. 2
      src/socket.c
  4. 1
      src/socket.h

3
src/drv_imap.c

@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
server->ssl_type = -1;
server->sconf.ssl_versions = -1;
server->sconf.system_certs = 1;
#endif
server->max_in_progress = INT_MAX;
@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line, server->sconf.cert_file );
cfg->err = 1;
}
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
server->sconf.system_certs = parse_bool( cfg );
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;

10
src/mbsync.1

@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
servers, \fBTLSv1\fR is the default.
..
.TP
\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
Whether the system's default root cerificate store should be loaded.
(Default: \fIyes\fR)
..
.TP
\fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server
identities. Directly matched peer certificates are always trusted,
regardless of validity.
.br
Note that the system's default certificate store is always used and should
not be specified here.
Note that the system's default certificate store is always used
(unless \fBSystemCertificates\fR is disabled)
and should not be specified here.
..
.TP
\fBPipelineDepth\fR \fIdepth\fR

2
src/socket.c

@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0;
}
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
warn( "Warning: Unable to load default certificate files: %s\n",
ERR_error_string( ERR_get_error(), 0 ) );

1
src/socket.h

@ -44,6 +44,7 @@ typedef struct server_conf {
int port;
#ifdef HAVE_LIBSSL
char *cert_file;
char system_certs;
char ssl_versions;
/* these are actually variables and are leaked at the end */

Loading…
Cancel
Save