Home Explore Help
Sign In
noah
/
isync
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

make it possible to disable usage of system cert store

Oswald Buddenhagen 11 years ago
parent
7822bd8a91
commit
aba3524d9b
4 changed files with 13 additions and 3 deletions
Unified View Show Diff Stats
  1. 3 0
      src/drv_imap.c
  2. 8 2
      src/mbsync.1
  3. 1 1
      src/socket.c
  4. 1 0
      src/socket.h

+ 3 - 0
src/drv_imap.c
View File 

@@ -2263,6 +2263,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 #ifdef HAVE_LIBSSL
 
 #ifdef HAVE_LIBSSL
 
 	server->ssl_type = -1;
 
 	server->ssl_type = -1;
 
 	server->sconf.ssl_versions = -1;
 
 	server->sconf.ssl_versions = -1;
 
+	server->sconf.system_certs = 1;
 
 #endif
 
 #endif
 
 	server->max_in_progress = INT_MAX;
 
 	server->max_in_progress = INT_MAX;
 
 
 
@@ -2308,6 +2309,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 				           cfg->file, cfg->line, server->sconf.cert_file );
 
 				           cfg->file, cfg->line, server->sconf.cert_file );
 
 				cfg->err = 1;
 
 				cfg->err = 1;
 
 			}
 
 			}
 
+		} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
 
+			server->sconf.system_certs = parse_bool( cfg );
 
 		} else if (!strcasecmp( "SSLType", cfg->cmd )) {
 
 		} else if (!strcasecmp( "SSLType", cfg->cmd )) {
 
 			if (!strcasecmp( "None", cfg->val )) {
 
 			if (!strcasecmp( "None", cfg->val )) {
 
 				server->ssl_type = SSL_None;
 
 				server->ssl_type = SSL_None;

+ 8 - 2
src/mbsync.1
View File 

@@ -301,13 +301,19 @@ Generally, the newest TLS version is recommended, but as this confuses some
 
 servers, \fBTLSv1\fR is the default.
 
 servers, \fBTLSv1\fR is the default.
 
 ..
 
 ..
 
 .TP
 
 .TP
 
+\fBSystemCertificates\fR \fIyes\fR|\fIno\fR
 
+Whether the system's default root cerificate store should be loaded.
 
+(Default: \fIyes\fR)
 
+..
 
+.TP
 
 \fBCertificateFile\fR \fIpath\fR
 
 \fBCertificateFile\fR \fIpath\fR
 
 File containing additional X.509 certificates used to verify server
 
 File containing additional X.509 certificates used to verify server
 
 identities. Directly matched peer certificates are always trusted,
 
 identities. Directly matched peer certificates are always trusted,
 
 regardless of validity.
 
 regardless of validity.
 
 .br
 
 .br
 
-Note that the system's default certificate store is always used and should
 
-not be specified here.
 
+Note that the system's default certificate store is always used
 
+(unless \fBSystemCertificates\fR is disabled)
 
+and should not be specified here.
 
 ..
 
 ..
 
 .TP
 
 .TP
 
 \fBPipelineDepth\fR \fIdepth\fR
 
 \fBPipelineDepth\fR \fIdepth\fR

+ 1 - 1
src/socket.c
View File 

@@ -219,7 +219,7 @@ init_ssl_ctx( const server_conf_t *conf )
 
 		return 0;
 
 		return 0;
 
 	}
 
 	}
 
 	mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
 
 	mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
 
-	if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
 
+	if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
 
 		warn( "Warning: Unable to load default certificate files: %s\n",
 
 		warn( "Warning: Unable to load default certificate files: %s\n",
 
 		      ERR_error_string( ERR_get_error(), 0 ) );
 
 		      ERR_error_string( ERR_get_error(), 0 ) );

+ 1 - 0
src/socket.h
View File 

@@ -44,6 +44,7 @@ typedef struct server_conf {
 
 	int port;
 
 	int port;
 
 #ifdef HAVE_LIBSSL
 
 #ifdef HAVE_LIBSSL
 
 	char *cert_file;
 
 	char *cert_file;
 
+	char system_certs;
 
 	char ssl_versions;
 
 	char ssl_versions;
 
 
 
 	/* these are actually variables and are leaked at the end */
 
 	/* these are actually variables and are leaked at the end */