make it possible to disable usage of system cert store
This commit is contained in:
parent
7822bd8a91
commit
aba3524d9b
|
@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
|||
#ifdef HAVE_LIBSSL
|
||||
server->ssl_type = -1;
|
||||
server->sconf.ssl_versions = -1;
|
||||
server->sconf.system_certs = 1;
|
||||
#endif
|
||||
server->max_in_progress = INT_MAX;
|
||||
|
||||
|
@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
|||
cfg->file, cfg->line, server->sconf.cert_file );
|
||||
cfg->err = 1;
|
||||
}
|
||||
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
|
||||
server->sconf.system_certs = parse_bool( cfg );
|
||||
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
|
||||
if (!strcasecmp( "None", cfg->val )) {
|
||||
server->ssl_type = SSL_None;
|
||||
|
|
10
src/mbsync.1
10
src/mbsync.1
|
@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
|
|||
servers, \fBTLSv1\fR is the default.
|
||||
..
|
||||
.TP
|
||||
\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
|
||||
Whether the system's default root cerificate store should be loaded.
|
||||
(Default: \fIyes\fR)
|
||||
..
|
||||
.TP
|
||||
\fBCertificateFile\fR \fIpath\fR
|
||||
File containing additional X.509 certificates used to verify server
|
||||
identities. Directly matched peer certificates are always trusted,
|
||||
regardless of validity.
|
||||
.br
|
||||
Note that the system's default certificate store is always used and should
|
||||
not be specified here.
|
||||
Note that the system's default certificate store is always used
|
||||
(unless \fBSystemCertificates\fR is disabled)
|
||||
and should not be specified here.
|
||||
..
|
||||
.TP
|
||||
\fBPipelineDepth\fR \fIdepth\fR
|
||||
|
|
|
@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
|
|||
return 0;
|
||||
}
|
||||
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
|
||||
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
|
||||
if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
|
||||
warn( "Warning: Unable to load default certificate files: %s\n",
|
||||
ERR_error_string( ERR_get_error(), 0 ) );
|
||||
|
||||
|
|
|
@ -44,6 +44,7 @@ typedef struct server_conf {
|
|||
int port;
|
||||
#ifdef HAVE_LIBSSL
|
||||
char *cert_file;
|
||||
char system_certs;
|
||||
char ssl_versions;
|
||||
|
||||
/* these are actually variables and are leaked at the end */
|
||||
|
|
Loading…
Reference in New Issue
Block a user