bincimap

Log | Files | Refs | LICENSE
commit 380b75e6dc62bf74395a8ef90252d346508c253a
parent 0d8bdd73cd3954a632c01b34d6a2ef2b7e164f6a
Author: andreaha <andreaha@b31fe1f4-c0d1-0310-8000-a34f4ae90293>
Date:   Mon,  2 Feb 2004 20:15:35 +0000

- Added --ca-path and "ca path" options. The verify locations
  are now loaded from these settings.


git-svn-id: file:///home/cwright/convert/bincimap/trunk@20 b31fe1f4-c0d1-0310-8000-a34f4ae90293

Diffstat:

Mman/bincimap-up.1 | 4++--


Mman/bincimap.conf.5 | 9+++++++--


Msrc/io-ssl.cc | 9+++++++++


3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/man/bincimap-up.1 b/man/bincimap-up.1
@@ -42,8 +42,8 @@ connection. <n> can not be less than 30 seconds.
 
 .TP
 \fB\-f, \-\-ca-file=<file>\fR
-A file used to list certificate authorities in. It is sent to the
-client to help the client verify the SSL certificate.
+A file with one or more certificate authority certificates. It is used
+to help the client verify the SSL certificate.
 
 .TP
 \fB\-P, \-\-ca-path=<path>\fR
diff --git a/man/bincimap.conf.5 b/man/bincimap.conf.5
@@ -184,8 +184,13 @@ The path to the SSL certificate file, in PEM format.
 
 .TP
 \fBSSL::ca file = <file>\fR
-A file used to list certificate authorities in. It is sent to the
-client to help the client verify the SSL certificate.
+A file with one or more certificate authority certificates. It is used
+to help the client verify the SSL certificate.
+
+.TP
+\fBSSL::ca path = <path>\fR
+A path with lists of certificate authorities' cerficates. It is used
+to help the client verify the SSL certificate.
 
 .TP
 \fBSSL::cipher list = <cipherlist>\fR
diff --git a/src/io-ssl.cc b/src/io-ssl.cc
@@ -105,6 +105,9 @@ bool SSLEnabledIO::setModeSSL(void)
   string CAfile = session.globalconfig["SSL"]["ca file"];
   if (CAfile == "") CAfile == "/usr/share/ssl/certs/.crt";
 
+  string CApath = session.globalconfig["SSL"]["ca path"];
+  if (CApath == "") CApath == "/usr/share/ssl/certs/";
+
   SSL_CTX_set_default_verify_paths(ctx);
 
   string pemname = session.globalconfig["SSL"]["pem file"];
@@ -132,6 +135,12 @@ bool SSLEnabledIO::setModeSSL(void)
     return false;
   }
 
+  if (!SSL_CTX_load_verify_locations(ctx, CAfile.c_str(), CApath.c_str())) {
+    setLastError("SSL error: unable to load CA file or path: "
+		 + string(ERR_error_string(ERR_get_error(), 0)));
+    return false;
+  }
+
   if (session.globalconfig["SSL"]["verify peer"] == "yes")
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
   else