|
 |
5a1f25 |
src/network/ssl/ssl.c | 33 ++++++++++++++++++++++++++++++++-
|
|
|
5a1f25 |
1 files changed, 32 insertions(+), 1 deletions(-)
|
|
|
5a1f25 |
|
|
|
5a1f25 |
diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c
|
|
|
5a1f25 |
index 73446b5..eadff7f 100644
|
|
|
5a1f25 |
--- a/src/network/ssl/ssl.c
|
|
|
5a1f25 |
+++ b/src/network/ssl/ssl.c
|
|
|
5a1f25 |
@@ -48,10 +48,20 @@ SSL_CTX *context = NULL;
|
|
|
5a1f25 |
static void
|
|
|
5a1f25 |
init_openssl(struct module *module)
|
|
|
5a1f25 |
{
|
|
|
5a1f25 |
+ unsigned char *ca_file;
|
|
|
5a1f25 |
SSLeay_add_ssl_algorithms();
|
|
|
5a1f25 |
context = SSL_CTX_new(SSLv23_client_method());
|
|
|
5a1f25 |
SSL_CTX_set_options(context, SSL_OP_ALL);
|
|
|
5a1f25 |
+#ifdef CONFIG_NSS_COMPAT_OSSL
|
|
|
5a1f25 |
+ ca_file = get_opt_str("connection.ssl.trusted_ca_file");
|
|
|
5a1f25 |
+ if (*ca_file)
|
|
|
5a1f25 |
+ SSL_CTX_load_verify_locations(context, ca_file, NULL);
|
|
|
5a1f25 |
+ else
|
|
|
5a1f25 |
+ SSL_CTX_set_default_verify_paths(context);
|
|
|
5a1f25 |
+#else
|
|
|
5a1f25 |
+ (void) ca_file;
|
|
|
5a1f25 |
SSL_CTX_set_default_verify_paths(context);
|
|
|
5a1f25 |
+#endif
|
|
|
5a1f25 |
}
|
|
|
5a1f25 |
|
|
|
5a1f25 |
static void
|
|
|
5a1f25 |
@@ -61,10 +71,30 @@ done_openssl(struct module *module)
|
|
|
5a1f25 |
}
|
|
|
5a1f25 |
|
|
|
5a1f25 |
static union option_info openssl_options[] = {
|
|
|
5a1f25 |
+#ifdef CONFIG_NSS_COMPAT_OSSL
|
|
|
5a1f25 |
+ INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
|
|
|
5a1f25 |
+ "cert_verify", 0, 0,
|
|
|
5a1f25 |
+ N_("Verify the peer's SSL certificate.")),
|
|
|
5a1f25 |
+
|
|
|
5a1f25 |
+ INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
|
|
|
5a1f25 |
+ "trusted_ca_file", 0, "/etc/pki/tls/certs/ca-bundle.crt",
|
|
|
5a1f25 |
+ N_("The location of a file containing certificates of "
|
|
|
5a1f25 |
+ "trusted certification authorities in PEM format. "
|
|
|
5a1f25 |
+ "ELinks then trusts certificates issued by these CAs.\n"
|
|
|
5a1f25 |
+ "\n"
|
|
|
5a1f25 |
+ "If you set this option to an empty string, default NSS root"
|
|
|
5a1f25 |
+ "certificates are loaded.\n"
|
|
|
5a1f25 |
+ "\n"
|
|
|
5a1f25 |
+ "If you change this option or the file, you must "
|
|
|
5a1f25 |
+ "restart ELinks for the changes to take effect. "
|
|
|
5a1f25 |
+ "This option affects GnuTLS and nss_compat_ossl but not "
|
|
|
5a1f25 |
+ "OpenSSL.")),
|
|
|
5a1f25 |
+#else
|
|
|
5a1f25 |
INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
|
|
|
5a1f25 |
"cert_verify", 0, 0,
|
|
|
5a1f25 |
N_("Verify the peer's SSL certificate. Note that this "
|
|
|
5a1f25 |
"needs extensive configuration of OpenSSL by the user.")),
|
|
|
5a1f25 |
+#endif
|
|
|
5a1f25 |
|
|
|
5a1f25 |
INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
|
|
|
5a1f25 |
"client_cert", OPT_SORT,
|
|
|
5a1f25 |
@@ -187,7 +217,8 @@ static union option_info gnutls_options[] = {
|
|
|
5a1f25 |
"\n"
|
|
|
5a1f25 |
"If you change this option or the file, you must "
|
|
|
5a1f25 |
"restart ELinks for the changes to take effect. "
|
|
|
5a1f25 |
- "This option affects GnuTLS but not OpenSSL.")),
|
|
|
5a1f25 |
+ "This option affects GnuTLS and nss_compat_ossl but not "
|
|
|
5a1f25 |
+ "OpenSSL.")),
|
|
|
5a1f25 |
|
|
|
5a1f25 |
NULL_OPTION_INFO,
|
|
|
5a1f25 |
};
|