isync

mailbox synchronization program
git clone https://git.code.sf.net/p/isync/isync
Log | Files | Refs | README | LICENSE
commit aba3524d9ba1da2357a92d51a9e7b0e1a93884b4
parent 7822bd8a91515551458dfeb78eea02c4dd5ddb5f
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date:   Sun, 27 Jul 2014 15:42:33 +0200

make it possible to disable usage of system cert store

Diffstat:

Msrc/drv_imap.c | 3+++


Msrc/mbsync.1 | 10++++++++--


Msrc/socket.c | 2+-


Msrc/socket.h | 1+


4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 #ifdef HAVE_LIBSSL
 	server->ssl_type = -1;
 	server->sconf.ssl_versions = -1;
+	server->sconf.system_certs = 1;
 #endif
 	server->max_in_progress = INT_MAX;
 
@@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 				           cfg->file, cfg->line, server->sconf.cert_file );
 				cfg->err = 1;
 			}
+		} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
+			server->sconf.system_certs = parse_bool( cfg );
 		} else if (!strcasecmp( "SSLType", cfg->cmd )) {
 			if (!strcasecmp( "None", cfg->val )) {
 				server->ssl_type = SSL_None;
diff --git a/src/mbsync.1 b/src/mbsync.1
@@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
 servers, \fBTLSv1\fR is the default.
 ..
 .TP
+\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
+Whether the system's default root cerificate store should be loaded.
+(Default: \fIyes\fR)
+..
+.TP
 \fBCertificateFile\fR \fIpath\fR
 File containing additional X.509 certificates used to verify server
 identities. Directly matched peer certificates are always trusted,
 regardless of validity.
 .br
-Note that the system's default certificate store is always used and should
-not be specified here.
+Note that the system's default certificate store is always used
+(unless \fBSystemCertificates\fR is disabled)
+and should not be specified here.
 ..
 .TP
 \fBPipelineDepth\fR \fIdepth\fR
diff --git a/src/socket.c b/src/socket.c
@@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
 		return 0;
 	}
 	mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
-	if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
+	if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
 		warn( "Warning: Unable to load default certificate files: %s\n",
 		      ERR_error_string( ERR_get_error(), 0 ) );
 
diff --git a/src/socket.h b/src/socket.h
@@ -44,6 +44,7 @@ typedef struct server_conf {
 	int port;
 #ifdef HAVE_LIBSSL
 	char *cert_file;
+	char system_certs;
 	char ssl_versions;
 
 	/* these are actually variables and are leaked at the end */