From e139cbac0a277cc4eff58bff345fbbcaf0858903 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Mon, 20 Feb 2017 14:47:59 +0100 Subject: [PATCH] sample/https-client: use host SSL certificate store by default Currently a static (Debian) certificate path is used by default, which can be overridden using the -crt parameter. This commit changes the default behaviour such that the openssl default certificate store is used, unless overridden by -crt. Signed-off-by: David Disseldorp --- sample/https-client.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/sample/https-client.c b/sample/https-client.c index 75666836..18cea906 100644 --- a/sample/https-client.c +++ b/sample/https-client.c @@ -191,7 +191,7 @@ main(int argc, char **argv) struct evhttp_uri *http_uri = NULL; const char *url = NULL, *data_file = NULL; - const char *crt = "/etc/ssl/certs/ca-certificates.crt"; + const char *crt = NULL; const char *scheme, *host, *path, *query; char uri[256]; int port; @@ -338,11 +338,19 @@ main(int argc, char **argv) #ifndef _WIN32 /* TODO: Add certificate loading on Windows as well */ - /* Attempt to use the system's trusted root certificates. - * (This path is only valid for Debian-based systems.) */ - if (1 != SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL)) { - err_openssl("SSL_CTX_load_verify_locations"); - goto error; + if (crt == NULL) { + X509_STORE *store; + /* Attempt to use the system's trusted root certificates. */ + store = SSL_CTX_get_cert_store(ssl_ctx); + if (X509_STORE_set_default_paths(store) != 1) { + err_openssl("X509_STORE_set_default_paths"); + goto error; + } + } else { + if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) { + err_openssl("SSL_CTX_load_verify_locations"); + goto error; + } } /* Ask OpenSSL to verify the server certificate. Note that this * does NOT include verifying that the hostname is correct. -- 2.40.0