commit aba3524d9ba1da2357a92d51a9e7b0e1a93884b4
parent 7822bd8a91515551458dfeb78eea02c4dd5ddb5f
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Sun, 27 Jul 2014 15:42:33 +0200
make it possible to disable usage of system cert store
Diffstat:
4 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
server->ssl_type = -1;
server->sconf.ssl_versions = -1;
+ server->sconf.system_certs = 1;
#endif
server->max_in_progress = INT_MAX;
@@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line, server->sconf.cert_file );
cfg->err = 1;
}
+ } else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
+ server->sconf.system_certs = parse_bool( cfg );
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;
diff --git a/src/mbsync.1 b/src/mbsync.1
@@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
servers, \fBTLSv1\fR is the default.
..
.TP
+\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
+Whether the system's default root cerificate store should be loaded.
+(Default: \fIyes\fR)
+..
+.TP
\fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server
identities. Directly matched peer certificates are always trusted,
regardless of validity.
.br
-Note that the system's default certificate store is always used and should
-not be specified here.
+Note that the system's default certificate store is always used
+(unless \fBSystemCertificates\fR is disabled)
+and should not be specified here.
..
.TP
\fBPipelineDepth\fR \fIdepth\fR
diff --git a/src/socket.c b/src/socket.c
@@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0;
}
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
- if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
+ if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
warn( "Warning: Unable to load default certificate files: %s\n",
ERR_error_string( ERR_get_error(), 0 ) );
diff --git a/src/socket.h b/src/socket.h
@@ -44,6 +44,7 @@ typedef struct server_conf {
int port;
#ifdef HAVE_LIBSSL
char *cert_file;
+ char system_certs;
char ssl_versions;
/* these are actually variables and are leaked at the end */