From e35a6155bc6913793d4e5a6ac168d5ab2c952471 Mon Sep 17 00:00:00 2001 From: Richard Soderberg Date: Sat, 5 Sep 2015 00:22:40 -0700 Subject: [PATCH] Add --cafile , alongside --capath . For unknown reasons, while we previously supported --capath we did not support --cafile. This forces the --cafile autodetection logic to run every time, unnecessarily, when we have a specific file in mind to use. This patch relocates the -CAfile autodetection logic to run *only if* the --cafile parameter is not provided. If it is not provided, the autodetection logic occurs precisely as before. This patch declines to address what happens if both --capath and --cafile are passed. The previous logic already ensured that the CA file was *always* set, and then only sometimes was the CA path set. The new logic maintains that behavior precisely, reserving logic flow changes for a separate commit. --- cipherscan | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/cipherscan b/cipherscan index 21d52c6..9b6f302 100755 --- a/cipherscan +++ b/cipherscan @@ -54,19 +54,7 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf" fi -# find a list of trusted CAs on the local system, or use the provided list -if [[ -z "$CACERTS" ]]; then - for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do - if [[ -e "$f" ]]; then - CACERTS="$f" - break - fi - done -fi -if [[ ! -e "$CACERTS" ]]; then - CACERTS="$DIRNAMEPATH/ca-bundle.crt" -fi - +CACERTS="" # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers # (probably a result of a workaround for the bug in Apple implementation of ECDSA) CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA" @@ -1313,6 +1301,10 @@ do DELAY=$2 shift 2 ;; + --cafile) + CACERTS="$2" + shift 2 + ;; --capath) CAPATH="$2" shift 2 @@ -1380,6 +1372,19 @@ if [[ $TEST_CURVES == "True" ]]; then fi fi +# find a list of trusted CAs on the local system, or use the provided list +if [[ -z "$CACERTS" ]]; then + for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do + if [[ -e "$f" ]]; then + CACERTS="$f" + break + fi + done +fi +if [[ ! -e "$CACERTS" ]]; then + CACERTS="$DIRNAMEPATH/ca-bundle.crt" +fi + if [[ $VERBOSE != 0 ]] ; then [[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS" echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"