commit 380b75e6dc62bf74395a8ef90252d346508c253a
parent 0d8bdd73cd3954a632c01b34d6a2ef2b7e164f6a
Author: andreaha <andreaha@b31fe1f4-c0d1-0310-8000-a34f4ae90293>
Date: Mon, 2 Feb 2004 20:15:35 +0000
- Added --ca-path and "ca path" options. The verify locations
are now loaded from these settings.
git-svn-id: file:///home/cwright/convert/bincimap/trunk@20 b31fe1f4-c0d1-0310-8000-a34f4ae90293
Diffstat:
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/man/bincimap-up.1 b/man/bincimap-up.1
@@ -42,8 +42,8 @@ connection. <n> can not be less than 30 seconds.
.TP
\fB\-f, \-\-ca-file=<file>\fR
-A file used to list certificate authorities in. It is sent to the
-client to help the client verify the SSL certificate.
+A file with one or more certificate authority certificates. It is used
+to help the client verify the SSL certificate.
.TP
\fB\-P, \-\-ca-path=<path>\fR
diff --git a/man/bincimap.conf.5 b/man/bincimap.conf.5
@@ -184,8 +184,13 @@ The path to the SSL certificate file, in PEM format.
.TP
\fBSSL::ca file = <file>\fR
-A file used to list certificate authorities in. It is sent to the
-client to help the client verify the SSL certificate.
+A file with one or more certificate authority certificates. It is used
+to help the client verify the SSL certificate.
+
+.TP
+\fBSSL::ca path = <path>\fR
+A path with lists of certificate authorities' cerficates. It is used
+to help the client verify the SSL certificate.
.TP
\fBSSL::cipher list = <cipherlist>\fR
diff --git a/src/io-ssl.cc b/src/io-ssl.cc
@@ -105,6 +105,9 @@ bool SSLEnabledIO::setModeSSL(void)
string CAfile = session.globalconfig["SSL"]["ca file"];
if (CAfile == "") CAfile == "/usr/share/ssl/certs/.crt";
+ string CApath = session.globalconfig["SSL"]["ca path"];
+ if (CApath == "") CApath == "/usr/share/ssl/certs/";
+
SSL_CTX_set_default_verify_paths(ctx);
string pemname = session.globalconfig["SSL"]["pem file"];
@@ -132,6 +135,12 @@ bool SSLEnabledIO::setModeSSL(void)
return false;
}
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile.c_str(), CApath.c_str())) {
+ setLastError("SSL error: unable to load CA file or path: "
+ + string(ERR_error_string(ERR_get_error(), 0)));
+ return false;
+ }
+
if (session.globalconfig["SSL"]["verify peer"] == "yes")
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0);
else