Add --cafile <filename.crt>, alongside --capath <dirpath/>.

For unknown reasons, while we previously supported --capath we did not support --cafile. This forces the --cafile autodetection logic to run every time, unnecessarily, when we have a specific file in mind to use. This patch relocates the -CAfile autodetection logic to run *only if* the --cafile parameter is not provided. If it is not provided, the autodetection logic occurs precisely as before. This patch declines to address what happens if both --capath and --cafile are passed. The previous logic already ensured that the CA file was *always* set, and then only sometimes was the CA path set. The new logic maintains that behavior precisely, reserving logic flow changes for a separate commit.
2015-09-05 00:22:40 -07:00 · 2015-09-05 00:22:40 -07:00 · e35a6155bc
parent 3f3e22b09a
commit e35a6155bc
1 changed files with 18 additions and 13 deletions
--- a/31
+++ b/31
@ -54,19 +54,7 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
    export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
 fi

-# find a list of trusted CAs on the local system, or use the provided list
-if [[ -z "$CACERTS" ]]; then
-    for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
-        if [[ -e "$f" ]]; then
-            CACERTS="$f"
-            break
-        fi
-    done
-fi
-if [[ ! -e "$CACERTS" ]]; then
-    CACERTS="$DIRNAMEPATH/ca-bundle.crt"
-fi
-
+CACERTS=""
 # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
 # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
 CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@ -1313,6 +1301,10 @@ do
            DELAY=$2
            shift 2
            ;;
+        --cafile)
+            CACERTS="$2"
+            shift 2
+            ;;
        --capath)
            CAPATH="$2"
            shift 2
@ -1380,6 +1372,19 @@ if [[ $TEST_CURVES == "True" ]]; then
    fi
 fi

+# find a list of trusted CAs on the local system, or use the provided list
+if [[ -z "$CACERTS" ]]; then
+    for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
+        if [[ -e "$f" ]]; then
+            CACERTS="$f"
+            break
+        fi
+    done
+fi
+if [[ ! -e "$CACERTS" ]]; then
+    CACERTS="$DIRNAMEPATH/ca-bundle.crt"
+fi
+
 if [[ $VERBOSE != 0 ]] ; then
    [[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
    echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"