From 0d33a198172f3107e11ac9ac4f2977360b1e1c76 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@fedoraproject.org>
Date: Wed, 29 Apr 2009 11:32:23 +0000
Subject: [PATCH] try to load default NSS root certificates if the
 configuration option     connection.ssl.trusted_ca_file is set to an empty
 string (#497788)

---
 elinks-nss-inc.patch | 19 +++++++++++++------
 elinks.conf          | 18 +++++++-----------
 elinks.spec          |  6 +++++-
 3 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/elinks-nss-inc.patch b/elinks-nss-inc.patch
index 4ceab81..8e60c1d 100644
--- a/elinks-nss-inc.patch
+++ b/elinks-nss-inc.patch
@@ -1,7 +1,7 @@
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
---- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-28 13:12:19.365660000 +0200
-+++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-28 13:26:39.287600358 +0200
-@@ -48,10 +48,16 @@ SSL_CTX *context = NULL;
+--- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-29 12:48:26.250878000 +0200
++++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-29 13:03:51.318746893 +0200
+@@ -48,10 +48,20 @@ SSL_CTX *context = NULL;
  static void
  init_openssl(struct module *module)
  {
@@ -11,14 +11,18 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  	SSL_CTX_set_options(context, SSL_OP_ALL);
 +#ifdef CONFIG_NSS_COMPAT_OSSL
 +	ca_file = get_opt_str("connection.ssl.trusted_ca_file");
-+	SSL_CTX_load_verify_locations(context, ca_file, NULL);
++	if (*ca_file)
++		SSL_CTX_load_verify_locations(context, ca_file, NULL);
++	else
++		SSL_CTX_set_default_verify_paths(context);
 +#else
++	(void) ca_file;
  	SSL_CTX_set_default_verify_paths(context);
 +#endif
  }
  
  static void
-@@ -61,10 +67,27 @@ done_openssl(struct module *module)
+@@ -61,10 +71,30 @@ done_openssl(struct module *module)
  }
  
  static struct option_info openssl_options[] = {
@@ -33,6 +37,9 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 +		"trusted certification authorities in PEM format. "
 +		"ELinks then trusts certificates issued by these CAs.\n"
 +		"\n"
++		"If you set this option to an empty string, default NSS root"
++		"certificates are loaded.\n"
++		"\n"
 +		"If you change this option or the file, you must "
 +		"restart ELinks for the changes to take effect. "
 +		"This option affects GnuTLS and nss_compat_ossl but not "
@@ -46,7 +53,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  
  	INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
          	"client_cert", OPT_SORT,
-@@ -187,7 +210,8 @@ static struct option_info gnutls_options
+@@ -187,7 +217,8 @@ static struct option_info gnutls_options
  		"\n"
  		"If you change this option or the file, you must "
  		"restart ELinks for the changes to take effect. "
diff --git a/elinks.conf b/elinks.conf
index 21da3e6..1175846 100644
--- a/elinks.conf
+++ b/elinks.conf
@@ -1,16 +1,9 @@
 ## ELinks 0.12pre3 configuration file
 
-## This is ELinks configuration file. You can edit it manually,
-## if you wish so; this file is edited by ELinks when you save
-## options through UI, however only option values will be altered
-## and missing options will be added at the end of file; if option
-## is not written in this file, but in some file included from it,
-## it is NOT counted as missing. Note that all your formatting,
-## own comments and so on will be kept as-is.
-##
-## Obviously, if you don't like what ELinks is going to do with
-## this file, you can change it by altering the config.saving_style
-## option. Come on, aren't we friendly guys after all?
+## This is ELinks global configuration file. You can keep global ELinks
+## configuration here. Each user can also save its own ELinks configuration
+## to ~/.elinks/elinks.conf. The per user configuration file can be edited
+## by ELinks when you save options through UI.
 
 ## connection
 #  Connection options.
@@ -27,6 +20,9 @@
     #  authorities in PEM format. ELinks then trusts certificates issued by
     #  these CAs.
     #
+    #  If you set this option to an empty string, default NSS root certificates
+    #  are loaded.
+    #
     #  If you change this option or the file, you must restart ELinks for the
     #  changes to take effect. This option affects GnuTLS and nss_compat_ossl
     #  but not OpenSSL.
diff --git a/elinks.spec b/elinks.spec
index 06e07b9..6dd623f 100644
--- a/elinks.spec
+++ b/elinks.spec
@@ -1,7 +1,7 @@
 Name:      elinks
 Summary:   A text-mode Web browser
 Version:   0.12
-Release:   0.14.pre3%{?dist}
+Release:   0.15.pre3%{?dist}
 License:   GPLv2
 URL:       http://elinks.or.cz
 Group:     Applications/Internet
@@ -126,6 +126,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/*
 
 %changelog
+* Wed Apr 29 2009 Kamil Dudka <kdudka@redhat.com> 0.12-0.15.pre3
+- try to load default NSS root certificates if the configuration option
+  connection.ssl.trusted_ca_file is set to an empty string (#497788)
+
 * Tue Apr 28 2009 Ondrej Vasik <ovasik@redhat.com> 0.12-0.14.pre3
 - enable certificate verification by default via configuration
   file(#495532)