summary refs log tree commit diff
path: root/compat/explicit_bzero_win.c
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2020-07-31 22:53:27 -0400
committerJune McEnroe <june@causal.agency>2020-07-31 23:10:51 -0400
commita6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d (patch)
treeaa5fe01a11fa67f1dea2f3116f41a1684219542d /compat/explicit_bzero_win.c
parenttls_config: Replace constant with X509_get_default_cert_file() (diff)
downloadlibretls-a6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d.tar.gz
libretls-a6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d.zip
tls: Call SSL_CTX_set_default_verify_paths by default
This removes the hard dependency on a CA bundle file existing in the
default path (which seems to not be the case on Debian, for example),
but results in a subtle behaviour change: if the CA bundle file does not
exist, the CA directory will be used instead, rather than failing hard.

I believe the only reason libtls insists on loading a CA bundle file
itself is so that it can be sandboxed afterwards, given that a file is
loaded all at once while a directory is only loaded as needed. If the
default CA bundle file exists, SSL_CTX_set_default_verify_paths will
still immediately load it, so sandboxing will still work. If it doesn't
exist, then the CA directory will be used, which will work well for
unsandboxed applications, but will likely fail during verification as it
tries to search the directory. Either way, if the CA bundle file does
not exist, a sandboxed application will not work. Enabling the use of
the CA directory, however, will allow more unsandboxed applications to
work.

Finally, to restore the original behaviour, an application can call
tls_config_set_ca_file(3) with the path returned by
tls_default_ca_cert_file(3).
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions
d>git: update to v2.24.0Christian Hesse 2019-10-25git: update to v2.23.0Christian Hesse 2019-10-25git: update to v2.22.0Christian Hesse 2019-06-25ui-tree: allow per repository override for enable-blameChristian Hesse 2019-06-05tests: successfully validate rc versionsChristian Hesse 2019-06-05git: update to v2.21.0Christian Hesse 2019-06-05ui-ssdiff: ban strncat()Christian Hesse 2019-06-05global: make 'char *path' const where possibleChristian Hesse 2019-05-20ui-shared: restrict to 15 levelsJason A. Donenfeld 2019-02-23ui-diff,ui-tag: don't use htmlf with non-formatted stringsChris Mayo 2019-02-23ui-ssdiff: resolve HTML5 validation errorsChris Mayo 2019-01-03filters: migrate from luacrypto to luaosslJason A. Donenfeld 2019-01-02ui-shared: fix broken sizeof in title setting and rewriteJason A. Donenfeld 2018-12-09git: update to v2.20.0Christian Hesse 2018-11-25ui-blame: set repo for sbJason A. Donenfeld 2018-11-25auth-filter: pass url with query string attachedJason A. Donenfeld 2018-11-21git: use xz compressed archive for downloadChristian Hesse 2018-10-12git: update to v2.19.1Christian Hesse 2018-09-11ui-ssdiff: ban strcat()Christian Hesse 2018-09-11ui-ssdiff: ban strncpy()Christian Hesse 2018-09-11ui-shared: ban strcat()Christian Hesse 2018-09-11ui-patch: ban sprintf()Christian Hesse 2018-09-11ui-log: ban strncpy()Christian Hesse 2018-09-11ui-log: ban strcpy()Christian Hesse 2018-09-11parsing: ban sprintf()Christian Hesse 2018-09-11parsing: ban strncpy()Christian Hesse 2018-08-28filters: generate anchor links from markdownChristian Hesse 2018-08-03Bump version.Jason A. Donenfeld 2018-08-03clone: fix directory traversalJason A. Donenfeld 2018-08-03config: record repo.snapshot-prefix in the per-repo configKonstantin Ryabitsev