summary refs log tree commit diff
path: root/man/tls_accept_socket.3
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2020-07-31 22:53:27 -0400
committerJune McEnroe <june@causal.agency>2020-07-31 23:10:51 -0400
commita6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d (patch)
treeaa5fe01a11fa67f1dea2f3116f41a1684219542d /man/tls_accept_socket.3
parenttls_config: Replace constant with X509_get_default_cert_file() (diff)
downloadlibretls-a6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d.tar.gz
libretls-a6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d.zip
tls: Call SSL_CTX_set_default_verify_paths by default
This removes the hard dependency on a CA bundle file existing in the
default path (which seems to not be the case on Debian, for example),
but results in a subtle behaviour change: if the CA bundle file does not
exist, the CA directory will be used instead, rather than failing hard.

I believe the only reason libtls insists on loading a CA bundle file
itself is so that it can be sandboxed afterwards, given that a file is
loaded all at once while a directory is only loaded as needed. If the
default CA bundle file exists, SSL_CTX_set_default_verify_paths will
still immediately load it, so sandboxing will still work. If it doesn't
exist, then the CA directory will be used, which will work well for
unsandboxed applications, but will likely fail during verification as it
tries to search the directory. Either way, if the CA bundle file does
not exist, a sandboxed application will not work. Enabling the use of
the CA directory, however, will allow more unsandboxed applications to
work.

Finally, to restore the original behaviour, an application can call
tls_config_set_ca_file(3) with the path returned by
tls_default_ca_cert_file(3).
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions
54 +0200'>2009-08-09ui-summary: enable arbitrary paths below repo.readmeLars Hjemli 2009-08-09cgit.c: allow repo.*-filter options to unset the current defaultLars Hjemli 2009-08-09Add support for repo.commit-filter and repo.source-filterLars Hjemli 2009-08-08Expose file extension in tree lists as class to allow nicer tree stylingMartin Szulecki 2009-08-08Introduce noplainemail option to hide email adresses from spambotsMartin Szulecki 2009-07-31ui-commit: add support for 'commit-filter' optionLars Hjemli 2009-07-31ui-tree: add support for source-filter optionLars Hjemli 2009-07-31ui-snapshot: use cgit_{open|close}_filter() to execute compressorsLars Hjemli 2009-07-31Add generic filter/plugin infrastructureLars Hjemli 2009-07-25Add support for mime type registration and lookupLars Hjemli 2009-07-25cgit.h: keep config flags sortedLars Hjemli 2009-07-25cgitrc.5.txt: document 'embedded' and 'noheader'Lars Hjemli 2009-07-25Add support for 'noheader' optionLars Hjemli 2009-07-25cgitrc.5.txt: document 'head-include'Lars Hjemli 2009-07-25ui-blob: return 'application/octet-stream' for binary blobsLars Hjemli 2009-07-25ui-plain: Return 'application/octet-stream' for binary files.Remko Tronçon 2009-06-11use cgit_httpscheme() for atom feedDiego Ongaro 2009-06-11add cgit_httpscheme() -> http:// or https://Diego Ongaro 2009-06-07Return http statuscode 404 on unknown branchLars Hjemli 2009-06-07Add head-include configuration option.Mark Lodato 2009-03-15CGIT 0.8.2.1Lars Hjemli 2009-03-15Fix doc-related glitches in Makefile and .gitignoreLars Hjemli 2009-03-15ui-snapshot: avoid segfault when no filename is specifiedLars Hjemli 2009-03-15fix segfault when displaying empty blobsEric Wong 2009-02-19Add support for HEAD requestsLars Hjemli 2009-02-19Add support for ETag in 'plain' viewLars Hjemli 2009-02-12ui-tree: escape ascii-text properly in hexdump viewLars Hjemli 2009-02-12Makefile: add doc-related targetsLars Hjemli