mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-04 23:13:41 +01:00
Add --cafile <filename.crt>, alongside --capath <dirpath/>.
For unknown reasons, while we previously supported --capath we did not support --cafile. This forces the --cafile autodetection logic to run every time, unnecessarily, when we have a specific file in mind to use. This patch relocates the -CAfile autodetection logic to run *only if* the --cafile parameter is not provided. If it is not provided, the autodetection logic occurs precisely as before. This patch declines to address what happens if both --capath and --cafile are passed. The previous logic already ensured that the CA file was *always* set, and then only sometimes was the CA path set. The new logic maintains that behavior precisely, reserving logic flow changes for a separate commit.
This commit is contained in:
parent
3f3e22b09a
commit
e35a6155bc
31
cipherscan
31
cipherscan
@ -54,19 +54,7 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
|
||||
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
||||
fi
|
||||
|
||||
# find a list of trusted CAs on the local system, or use the provided list
|
||||
if [[ -z "$CACERTS" ]]; then
|
||||
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
||||
if [[ -e "$f" ]]; then
|
||||
CACERTS="$f"
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
if [[ ! -e "$CACERTS" ]]; then
|
||||
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
|
||||
fi
|
||||
|
||||
CACERTS=""
|
||||
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
||||
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
||||
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
||||
@ -1313,6 +1301,10 @@ do
|
||||
DELAY=$2
|
||||
shift 2
|
||||
;;
|
||||
--cafile)
|
||||
CACERTS="$2"
|
||||
shift 2
|
||||
;;
|
||||
--capath)
|
||||
CAPATH="$2"
|
||||
shift 2
|
||||
@ -1380,6 +1372,19 @@ if [[ $TEST_CURVES == "True" ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# find a list of trusted CAs on the local system, or use the provided list
|
||||
if [[ -z "$CACERTS" ]]; then
|
||||
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
||||
if [[ -e "$f" ]]; then
|
||||
CACERTS="$f"
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
if [[ ! -e "$CACERTS" ]]; then
|
||||
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
|
||||
fi
|
||||
|
||||
if [[ $VERBOSE != 0 ]] ; then
|
||||
[[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
|
||||
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
||||
|
Loading…
Reference in New Issue
Block a user