diff options
author | Joe Orton <joe@manyfish.uk> | 2022-09-10 16:43:54 +0100 |
---|---|---|
committer | Joe Orton <joe@manyfish.uk> | 2022-09-10 16:45:34 +0100 |
commit | f9e8c2fb7c15180df8a728d242308f7a785dc982 (patch) | |
tree | 64b7ee37caa395d174134cb1ca761ad126943f80 | |
parent | 11084a4362580a2f1d80ba54a9e46d01b98d3201 (diff) | |
download | neon-git-default-ca.tar.gz |
Make ne_ssl_trust_default_ca a noop for non-SSL sessions, likedefault-ca
ne_ssl_trust_cert.
* src/ne_gnutls.c (ne_ssl_trust_default_ca),
src/ne_openssl.c (ne_ssl_trust_default_ca): Noop for non-SSL
session.
* test/ssl.c (nonssl_trust): Test that ne_ssl_trust_default_ca() is a
noop for non-SSL sessions.
-rw-r--r-- | src/ne_gnutls.c | 12 | ||||
-rw-r--r-- | src/ne_openssl.c | 8 | ||||
-rw-r--r-- | src/ne_session.h | 3 | ||||
-rw-r--r-- | test/ssl.c | 1 |
4 files changed, 15 insertions, 9 deletions
diff --git a/src/ne_gnutls.c b/src/ne_gnutls.c index 4c37d47..06621dc 100644 --- a/src/ne_gnutls.c +++ b/src/ne_gnutls.c @@ -1080,15 +1080,17 @@ void ne_ssl_context_trustcert(ne_ssl_context *ctx, const ne_ssl_certificate *cer void ne_ssl_trust_default_ca(ne_session *sess) { + if (sess->ssl_context) { #ifdef NE_SSL_CA_BUNDLE - gnutls_certificate_set_x509_trust_file(sess->ssl_context->cred, - NE_SSL_CA_BUNDLE, - GNUTLS_X509_FMT_PEM); + gnutls_certificate_set_x509_trust_file(sess->ssl_context->cred, + NE_SSL_CA_BUNDLE, + GNUTLS_X509_FMT_PEM); #elif defined(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST) - int rv = gnutls_certificate_set_x509_system_trust(sess->ssl_context->cred); + int rv = gnutls_certificate_set_x509_system_trust(sess->ssl_context->cred); - NE_DEBUG(NE_DBG_SSL, "ssl: System certificates trusted (%d)\n", rv); + NE_DEBUG(NE_DBG_SSL, "ssl: System certificates trusted (%d)\n", rv); #endif + } } /* Read the contents of file FILENAME into *DATUM. */ diff --git a/src/ne_openssl.c b/src/ne_openssl.c index d13c25a..a8942ec 100644 --- a/src/ne_openssl.c +++ b/src/ne_openssl.c @@ -810,13 +810,15 @@ void ne_ssl_context_trustcert(ne_ssl_context *ctx, const ne_ssl_certificate *cer void ne_ssl_trust_default_ca(ne_session *sess) { - X509_STORE *store = SSL_CTX_get_cert_store(sess->ssl_context->ctx); + if (sess->ssl_context) { + X509_STORE *store = SSL_CTX_get_cert_store(sess->ssl_context->ctx); #ifdef NE_SSL_CA_BUNDLE - X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL); + X509_STORE_load_locations(store, NE_SSL_CA_BUNDLE, NULL); #else - X509_STORE_set_default_paths(store); + X509_STORE_set_default_paths(store); #endif + } } /* Find a friendly name in a PKCS12 structure the hard way, without diff --git a/src/ne_session.h b/src/ne_session.h index e810382..dce99a0 100644 --- a/src/ne_session.h +++ b/src/ne_session.h @@ -281,7 +281,8 @@ void ne_ssl_set_clicert(ne_session *sess, const ne_ssl_client_cert *clicert); void ne_ssl_trust_cert(ne_session *sess, const ne_ssl_certificate *cert); /* If the SSL library provided a default set of CA certificates, trust - * this set of CAs. */ + * this set of CAs. This function has no effect for non-SSL + * sessions. */ void ne_ssl_trust_default_ca(ne_session *sess); /* Callback used to load a client certificate on demand. If dncount @@ -1823,6 +1823,7 @@ static int nonssl_trust(void) ne_session *sess = ne_session_create("http", "www.example.com", 80); ne_ssl_trust_cert(sess, def_ca_cert); + ne_ssl_trust_default_ca(sess); ne_session_destroy(sess); |