29254dd3bfbe219e62d70ca11339f96b8a982790 galt Wed Dec 11 01:19:31 2024 -0800 Fix for https cert locations on Ubuntu/Debian. diff --git src/lib/https.c src/lib/https.c index fe8d324..c9c2c59 100644 --- src/lib/https.c +++ src/lib/https.c @@ -660,31 +660,45 @@ // This makes it possible to trust certificates issued by an intermediate CA without having to trust its ancestor root CA. // GNU-TLS uses it, and openssl probably will do it in the future. // Currently this does not fix any of our known issues with users servers certs. // X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); // verify_callback gets called once per certificate returned by the server. SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); /* * Let the verify_callback catch the verify_depth error so that we get * an appropriate error in the logfile. */ SSL_CTX_set_verify_depth(ctx, atoi(https_cert_check_depth) + 1); // VITAL FOR PROPER VERIFICATION OF CERTS - if (!SSL_CTX_set_default_verify_paths(ctx)) + if (fileExists("/etc/pki/tls/cert.pem")) + { + if (!SSL_CTX_load_verify_file(ctx, "/etc/pki/tls/cert.pem")) + { + warn("SSL set load_verify_file /etc/pki/tls/cert.pem failed"); + } + } + else if (fileExists("/etc/ssl/certs")) + { + if (!SSL_CTX_load_verify_dir(ctx, "/etc/ssl/certs")) + { + warn("SSL set load_verify_dir /etc/ssl/certs failed"); + } + } + else if (!SSL_CTX_set_default_verify_paths(ctx)) { warn("SSL set default verify paths failed"); } // add the hostName to the structure and set it here, making it available during callback. myData.hostName = hostName; doSetMyData = TRUE; } } // Don't want any retries since we are non-blocking bio now // This is available on newer versions of openssl //SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); // this has become the default, but only matters for blocking mode which we are not using.