[glib-networking: 117/129] tls: fall back to the default openssl ca file if none is specified otherwise
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking: 117/129] tls: fall back to the default openssl ca file if none is specified otherwise
- Date: Sat, 2 Feb 2019 22:53:13 +0000 (UTC)
commit f3e52c5ab8f09b0fb604864b302223daf692e6ef
Author: Christoph Reiter <reiter christoph gmail com>
Date: Mon May 21 14:46:01 2018 +0200
tls: fall back to the default openssl ca file if none is specified otherwise
openssl provides X509_get_default_cert_file_env() which gives the env var (SSL_CERT_FILE)
to use for configuring the ca file path at runtime and X509_get_default_cert_file() which
gives a default path.
Assuming openssl is properly configured this makes glib-openssl work without setting
any path.
One remaining problem on Windows is that while under MSYS2 openssl is patched to be
relocatable this is not the case for all Windows openssl users. For that introduce
a G_TLS_OPENSSL_HANDLE_CERT_RELOCATABLE env var which when set uses a hardcoded relative
path, as was the default before.
https://bugzilla.gnome.org/show_bug.cgi?id=795782
tls/openssl/gtlsbackend-openssl.c | 35 ++++++++++++++++++++++-------------
1 file changed, 22 insertions(+), 13 deletions(-)
---
diff --git a/tls/openssl/gtlsbackend-openssl.c b/tls/openssl/gtlsbackend-openssl.c
index 287404b..6515c77 100644
--- a/tls/openssl/gtlsbackend-openssl.c
+++ b/tls/openssl/gtlsbackend-openssl.c
@@ -186,23 +186,32 @@ g_tls_backend_openssl_real_create_database (GTlsBackendOpenssl *self,
GTlsDatabase *database;
#ifdef G_OS_WIN32
- gchar *module_dir;
- gchar *cert_path;
+ if (g_getenv ("G_TLS_OPENSSL_HANDLE_CERT_RELOCATABLE") != NULL)
+ {
+ gchar *module_dir;
- module_dir = g_win32_get_package_installation_directory_of_module (NULL);
- cert_path = g_build_filename (module_dir, "bin", "cert.pem", NULL);
- g_free (module_dir);
+ module_dir = g_win32_get_package_installation_directory_of_module (NULL);
+ anchor_file = g_build_filename (module_dir, "bin", "cert.pem", NULL);
+ g_free (module_dir);
+ }
+#endif
- if (g_file_test (cert_path, G_FILE_TEST_IS_REGULAR))
- anchor_file = cert_path;
- else
- g_free (cert_path);
-#else
-# ifdef GTLS_SYSTEM_CA_FILE
- anchor_file = g_strdup (GTLS_SYSTEM_CA_FILE);
-# endif
+#ifdef GTLS_SYSTEM_CA_FILE
+ if (anchor_file == NULL)
+ anchor_file = g_strdup (GTLS_SYSTEM_CA_FILE);
#endif
+ if (anchor_file == NULL)
+ {
+ const gchar *openssl_cert_file;
+
+ openssl_cert_file = g_getenv (X509_get_default_cert_file_env ());
+ if (openssl_cert_file == NULL)
+ openssl_cert_file = X509_get_default_cert_file ();
+
+ anchor_file = g_strdup (openssl_cert_file);
+ }
+
database = g_tls_file_database_new (anchor_file, error);
g_free (anchor_file);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]