MFH (r266291): look for root certs in /usr/local first

svn path=/stable/10/; revision=266632
2024-11-30 15:12:44 +00:00 · 2014-05-24 22:50:58 +00:00 · 2014-05-24 22:50:58 +00:00 · a8941797ca · 2020-12-20 02:59:44 +00:00
commit a8941797ca
parent 1cdd8c6d7e
1 changed files with 8 additions and 2 deletions
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
 /*
 * Configure peer verification based on environment.
 */
+#define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
+#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
 static int
 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 {
@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 	const char *ca_cert_file, *ca_cert_path, *crl_file;

 	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
-		ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
-		    getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
+		ca_cert_file = getenv("SSL_CA_CERT_FILE");
+		if (ca_cert_file == NULL &&
+		    access(LOCAL_CERT_FILE, R_OK) == 0)
+			ca_cert_file = LOCAL_CERT_FILE;
+		if (ca_cert_file == NULL)
+			ca_cert_file = BASE_CERT_FILE;
 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
 		if (verbose) {
 			fetch_info("Peer verification enabled");