2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-26 07:53:41 +01:00

Add --cafile <filename.crt>, alongside --capath <dirpath/>.

For unknown reasons, while we previously supported --capath we did not
support --cafile. This forces the --cafile autodetection logic to run
every time, unnecessarily, when we have a specific file in mind to use.

This patch relocates the -CAfile autodetection logic to run *only if*
the --cafile parameter is not provided. If it is not provided, the
autodetection logic occurs precisely as before.

This patch declines to address what happens if both --capath and
--cafile are passed. The previous logic already ensured that the CA file
was *always* set, and then only sometimes was the CA path set. The new
logic maintains that behavior precisely, reserving logic flow changes
for a separate commit.
This commit is contained in:
Richard Soderberg 2015-09-05 00:22:40 -07:00
parent 3f3e22b09a
commit e35a6155bc

View File

@ -54,19 +54,7 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf" export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
fi fi
# find a list of trusted CAs on the local system, or use the provided list CACERTS=""
if [[ -z "$CACERTS" ]]; then
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
if [[ -e "$f" ]]; then
CACERTS="$f"
break
fi
done
fi
if [[ ! -e "$CACERTS" ]]; then
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
fi
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
# (probably a result of a workaround for the bug in Apple implementation of ECDSA) # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA" CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@ -1313,6 +1301,10 @@ do
DELAY=$2 DELAY=$2
shift 2 shift 2
;; ;;
--cafile)
CACERTS="$2"
shift 2
;;
--capath) --capath)
CAPATH="$2" CAPATH="$2"
shift 2 shift 2
@ -1380,6 +1372,19 @@ if [[ $TEST_CURVES == "True" ]]; then
fi fi
fi fi
# find a list of trusted CAs on the local system, or use the provided list
if [[ -z "$CACERTS" ]]; then
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
if [[ -e "$f" ]]; then
CACERTS="$f"
break
fi
done
fi
if [[ ! -e "$CACERTS" ]]; then
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
fi
if [[ $VERBOSE != 0 ]] ; then if [[ $VERBOSE != 0 ]] ; then
[[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS" [[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))" echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"