svn commit: r266291 - head/lib/libfetch
Dag-Erling Smørgrav
des at FreeBSD.org
Sat May 17 03:39:57 UTC 2014
Author: des
Date: Sat May 17 03:39:56 2014
New Revision: 266291
URL: http://svnweb.freebsd.org/changeset/base/266291
Log:
Look for root certificates in /usr/local/etc/ssl before /etc/ssl.
MFH: 1 week
Modified:
head/lib/libfetch/common.c
Modified: head/lib/libfetch/common.c
==============================================================================
--- head/lib/libfetch/common.c Sat May 17 03:28:43 2014 (r266290)
+++ head/lib/libfetch/common.c Sat May 17 03:39:56 2014 (r266291)
@@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX
/*
* Configure peer verification based on environment.
*/
+#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem"
+#define BASE_CERT_FILE "/etc/ssl/cert.pem"
static int
fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
{
@@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT
const char *ca_cert_file, *ca_cert_path, *crl_file;
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
- ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
- getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
+ ca_cert_file = getenv("SSL_CA_CERT_FILE");
+ if (ca_cert_file == NULL &&
+ access(LOCAL_CERT_FILE, R_OK) == 0)
+ ca_cert_file = LOCAL_CERT_FILE;
+ if (ca_cert_file == NULL)
+ ca_cert_file = BASE_CERT_FILE;
ca_cert_path = getenv("SSL_CA_CERT_PATH");
if (verbose) {
fetch_info("Peer verification enabled");
More information about the svn-src-head
mailing list