From a6df11f2bbd2c9cdf4a8f16d93d8a56c8f41c68d Mon Sep 17 00:00:00 2001 From: "C. McEnroe" Date: Fri, 31 Jul 2020 22:53:27 -0400 Subject: tls: Call SSL_CTX_set_default_verify_paths by default This removes the hard dependency on a CA bundle file existing in the default path (which seems to not be the case on Debian, for example), but results in a subtle behaviour change: if the CA bundle file does not exist, the CA directory will be used instead, rather than failing hard. I believe the only reason libtls insists on loading a CA bundle file itself is so that it can be sandboxed afterwards, given that a file is loaded all at once while a directory is only loaded as needed. If the default CA bundle file exists, SSL_CTX_set_default_verify_paths will still immediately load it, so sandboxing will still work. If it doesn't exist, then the CA directory will be used, which will work well for unsandboxed applications, but will likely fail during verification as it tries to search the directory. Either way, if the CA bundle file does not exist, a sandboxed application will not work. Enabling the use of the CA directory, however, will allow more unsandboxed applications to work. Finally, to restore the original behaviour, an application can call tls_config_set_ca_file(3) with the path returned by tls_default_ca_cert_file(3). --- tls.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/tls.c b/tls.c index 90458c4..26adb2b 100644 --- a/tls.c +++ b/tls.c @@ -609,14 +609,6 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) if (ctx->config->verify_cert == 0) goto done; - /* If no CA has been specified, attempt to load the default. */ - if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { - if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(), - &ca_mem, &ca_len) != 0) - goto err; - ca_free = ca_mem; - } - if (ca_mem != NULL) { if (ca_len > INT_MAX) { tls_set_errorx(ctx, "ca too long"); @@ -626,10 +618,17 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) tls_set_errorx(ctx, "ssl verify memory setup failure"); goto err; } - } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, - ctx->config->ca_path) != 1) { - tls_set_errorx(ctx, "ssl verify locations failure"); - goto err; + } else if (ctx->config->ca_path != NULL) { + if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, + ctx->config->ca_path) != 1) { + tls_set_errorx(ctx, "ssl verify locations failure"); + goto err; + } + } else { + if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) { + tls_set_errorx(ctx, "ssl verify locations failure"); + goto err; + } } if (crl_mem != NULL) { -- cgit 1.4.1