elinks/elinks-nss-inc.patch
Kamil Dudka 0d33a19817 try to load default NSS root certificates if the configuration option
connection.ssl.trusted_ca_file is set to an empty string (#497788)
2009-04-29 11:32:23 +00:00

66 lines
2.3 KiB
Diff

diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
--- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-29 12:48:26.250878000 +0200
+++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-29 13:03:51.318746893 +0200
@@ -48,10 +48,20 @@ SSL_CTX *context = NULL;
static void
init_openssl(struct module *module)
{
+ unsigned char *ca_file;
SSLeay_add_ssl_algorithms();
context = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(context, SSL_OP_ALL);
+#ifdef CONFIG_NSS_COMPAT_OSSL
+ ca_file = get_opt_str("connection.ssl.trusted_ca_file");
+ if (*ca_file)
+ SSL_CTX_load_verify_locations(context, ca_file, NULL);
+ else
+ SSL_CTX_set_default_verify_paths(context);
+#else
+ (void) ca_file;
SSL_CTX_set_default_verify_paths(context);
+#endif
}
static void
@@ -61,10 +71,30 @@ done_openssl(struct module *module)
}
static struct option_info openssl_options[] = {
+#ifdef CONFIG_NSS_COMPAT_OSSL
+ INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
+ "cert_verify", 0, 0,
+ N_("Verify the peer's SSL certificate.")),
+
+ INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
+ "trusted_ca_file", 0, "/etc/pki/tls/certs/ca-bundle.crt",
+ N_("The location of a file containing certificates of "
+ "trusted certification authorities in PEM format. "
+ "ELinks then trusts certificates issued by these CAs.\n"
+ "\n"
+ "If you set this option to an empty string, default NSS root"
+ "certificates are loaded.\n"
+ "\n"
+ "If you change this option or the file, you must "
+ "restart ELinks for the changes to take effect. "
+ "This option affects GnuTLS and nss_compat_ossl but not "
+ "OpenSSL.")),
+#else
INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
"cert_verify", 0, 0,
N_("Verify the peer's SSL certificate. Note that this "
"needs extensive configuration of OpenSSL by the user.")),
+#endif
INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
"client_cert", OPT_SORT,
@@ -187,7 +217,8 @@ static struct option_info gnutls_options
"\n"
"If you change this option or the file, you must "
"restart ELinks for the changes to take effect. "
- "This option affects GnuTLS but not OpenSSL.")),
+ "This option affects GnuTLS and nss_compat_ossl but not "
+ "OpenSSL.")),
NULL_OPTION_INFO,
};