svn commit: r266291 - head/lib/libfetch
Bryan Drewery
bdrewery at FreeBSD.org
Sat May 17 03:50:37 UTC 2014
Thanks! This is really needed for 9.3 for ports. So I
hope re@ doesn't mind if it comes in after the freeze.
Thanks,
Bryan
On 2014-05-16 23:39, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Sat May 17 03:39:56 2014
> New Revision: 266291
> URL: http://svnweb.freebsd.org/changeset/base/266291
>
> Log:
> Look for root certificates in /usr/local/etc/ssl before /etc/ssl.
>
> MFH: 1 week
>
> Modified:
> head/lib/libfetch/common.c
>
> Modified: head/lib/libfetch/common.c
> ==============================================================================
> --- head/lib/libfetch/common.c Sat May 17 03:28:43 2014 (r266290)
> +++ head/lib/libfetch/common.c Sat May 17 03:39:56 2014 (r266291)
> @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX
> /*
> * Configure peer verification based on environment.
> */
> +#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem"
> +#define BASE_CERT_FILE "/etc/ssl/cert.pem"
> static int
> fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
> {
> @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT
> const char *ca_cert_file, *ca_cert_path, *crl_file;
>
> if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
> - ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
> - getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
> + ca_cert_file = getenv("SSL_CA_CERT_FILE");
> + if (ca_cert_file == NULL &&
> + access(LOCAL_CERT_FILE, R_OK) == 0)
> + ca_cert_file = LOCAL_CERT_FILE;
> + if (ca_cert_file == NULL)
> + ca_cert_file = BASE_CERT_FILE;
> ca_cert_path = getenv("SSL_CA_CERT_PATH");
> if (verbose) {
> fetch_info("Peer verification enabled");
--
Regards,
Bryan Drewery
More information about the svn-src-all
mailing list