29254dd3bfbe219e62d70ca11339f96b8a982790
galt
  Wed Dec 11 01:19:31 2024 -0800
Fix for https cert locations on Ubuntu/Debian.

diff --git src/lib/https.c src/lib/https.c
index fe8d324..c9c2c59 100644
--- src/lib/https.c
+++ src/lib/https.c
@@ -660,31 +660,45 @@
         // This makes it possible to trust certificates issued by an intermediate CA without having to trust its ancestor root CA.
         // GNU-TLS uses it, and openssl probably will do it in the future. 
         // Currently this does not fix any of our known issues with users servers certs.
 	// X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
 
 	// verify_callback gets called once per certificate returned by the server.
 	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
 
 	/*
 	 * Let the verify_callback catch the verify_depth error so that we get
 	 * an appropriate error in the logfile.
 	 */
 	SSL_CTX_set_verify_depth(ctx, atoi(https_cert_check_depth) + 1);
 
 	// VITAL FOR PROPER VERIFICATION OF CERTS
-	if (!SSL_CTX_set_default_verify_paths(ctx)) 
+        if (fileExists("/etc/pki/tls/cert.pem"))
+	    {
+	    if (!SSL_CTX_load_verify_file(ctx, "/etc/pki/tls/cert.pem"))
+		{
+		warn("SSL set load_verify_file /etc/pki/tls/cert.pem failed");
+		}
+	    }
+        else if (fileExists("/etc/ssl/certs"))
+	    {
+	    if (!SSL_CTX_load_verify_dir(ctx, "/etc/ssl/certs"))
+		{
+		warn("SSL set load_verify_dir /etc/ssl/certs failed");
+		}
+	    }
+        else if (!SSL_CTX_set_default_verify_paths(ctx)) 
 	    {
 	    warn("SSL set default verify paths failed");
 	    }
 
 	// add the hostName to the structure and set it here, making it available during callback.
 	myData.hostName = hostName;
 	doSetMyData = TRUE;
 
 	} 
     }
 
 // Don't want any retries since we are non-blocking bio now
 // This is available on newer versions of openssl
 //SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);  // this has become the default, but only matters for blocking mode which we are not using.