11 年之前 · aba3524d9b
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
				 #ifdef HAVE_LIBSSL
			
 
				 	server->ssl_type = -1;
			
 
				 	server->sconf.ssl_versions = -1;
			
 
				+	server->sconf.system_certs = 1;
			
 
				 #endif
			
 
				 	server->max_in_progress = INT_MAX;
			
 
				 
			
@@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
				 				           cfg->file, cfg->line, server->sconf.cert_file );
			
 
				 				cfg->err = 1;
			
 
				 			}
			
 
				+		} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
			
 
				+			server->sconf.system_certs = parse_bool( cfg );
			
 
				 		} else if (!strcasecmp( "SSLType", cfg->cmd )) {
			
 
				 			if (!strcasecmp( "None", cfg->val )) {
			
 
				 				server->ssl_type = SSL_None;
			
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
 
				 servers, \fBTLSv1\fR is the default.
			
 
				 ..
			
 
				 .TP
			
 
				+\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
			
 
				+Whether the system's default root cerificate store should be loaded.
			
 
				+(Default: \fIyes\fR)
			
 
				+..
			
 
				+.TP
			
 
				 \fBCertificateFile\fR \fIpath\fR
			
 
				 File containing additional X.509 certificates used to verify server
			
 
				 identities. Directly matched peer certificates are always trusted,
			
 
				 regardless of validity.
			
 
				 .br
			
 
				-Note that the system's default certificate store is always used and should
			
 
				-not be specified here.
			
 
				+Note that the system's default certificate store is always used
			
 
				+(unless \fBSystemCertificates\fR is disabled)
			
 
				+and should not be specified here.
			
 
				 ..
			
 
				 .TP
			
 
				 \fBPipelineDepth\fR \fIdepth\fR
			
--- a/src/socket.c
+++ b/src/socket.c
@@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
 
				 		return 0;
			
 
				 	}
			
 
				 	mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
			
 
				-	if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
			
 
				+	if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
			
 
				 		warn( "Warning: Unable to load default certificate files: %s\n",
			
 
				 		      ERR_error_string( ERR_get_error(), 0 ) );
			
 
				 
			
--- a/src/socket.h
+++ b/src/socket.h
@@ -44,6 +44,7 @@ typedef struct server_conf {
 
				 	int port;
			
 
				 #ifdef HAVE_LIBSSL
			
 
				 	char *cert_file;
			
 
				+	char system_certs;
			
 
				 	char ssl_versions;
			
 
				 
			
 
				 	/* these are actually variables and are leaked at the end */