commit aba3524d9ba1da2357a92d51a9e7b0e1a93884b4
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Sun Jul 27 15:42:33 2014 +0200
make it possible to disable usage of system cert store
src/drv_imap.c | 3 +++
src/mbsync.1 | 10 ++++++++--
src/socket.c | 2 +-
src/socket.h | 1 +
4 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 8981bb4..e5e0621 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
server->ssl_type = -1;
server->sconf.ssl_versions = -1;
+ server->sconf.system_certs = 1;
#endif
server->max_in_progress = INT_MAX;
@@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line,
server->sconf.cert_file );
cfg->err = 1;
}
+ } else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
+ server->sconf.system_certs = parse_bool( cfg );
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;
diff --git a/src/mbsync.1 b/src/mbsync.1
index 73b7853..599061e 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as
this confuses some
servers, \fBTLSv1\fR is the default.
..
.TP
+\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
+Whether the system's default root cerificate store should be loaded.
+(Default: \fIyes\fR)
+..
+.TP
\fBCertificateFile\fR \fIpath\fR
File containing additional X.509 certificates used to verify server
identities. Directly matched peer certificates are always trusted,
regardless of validity.
.br
-Note that the system's default certificate store is always used and should
-not be specified here.
+Note that the system's default certificate store is always used
+(unless \fBSystemCertificates\fR is disabled)
+and should not be specified here.
..
.TP
\fBPipelineDepth\fR \fIdepth\fR
diff --git a/src/socket.c b/src/socket.c
index af83e09..bee11a1 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0;
}
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store(
mconf->SSLContext )->objs );
- if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
+ if (mconf->system_certs && !SSL_CTX_set_default_verify_paths(
mconf->SSLContext ))
warn( "Warning: Unable to load default certificate files: %s\n",
ERR_error_string( ERR_get_error(), 0 ) );
diff --git a/src/socket.h b/src/socket.h
index e9c3bca..78e3206 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -44,6 +44,7 @@ typedef struct server_conf {
int port;
#ifdef HAVE_LIBSSL
char *cert_file;
+ char system_certs;
char ssl_versions;
/* these are actually variables and are leaked at the end */
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
