mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-26 07:53:41 +01:00
Add --cafile <filename.crt>, alongside --capath <dirpath/>.
For unknown reasons, while we previously supported --capath we did not support --cafile. This forces the --cafile autodetection logic to run every time, unnecessarily, when we have a specific file in mind to use. This patch relocates the -CAfile autodetection logic to run *only if* the --cafile parameter is not provided. If it is not provided, the autodetection logic occurs precisely as before. This patch declines to address what happens if both --capath and --cafile are passed. The previous logic already ensured that the CA file was *always* set, and then only sometimes was the CA path set. The new logic maintains that behavior precisely, reserving logic flow changes for a separate commit.
This commit is contained in:
parent
3f3e22b09a
commit
e35a6155bc
31
cipherscan
31
cipherscan
@ -54,19 +54,7 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
|
|||||||
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# find a list of trusted CAs on the local system, or use the provided list
|
CACERTS=""
|
||||||
if [[ -z "$CACERTS" ]]; then
|
|
||||||
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
|
||||||
if [[ -e "$f" ]]; then
|
|
||||||
CACERTS="$f"
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
if [[ ! -e "$CACERTS" ]]; then
|
|
||||||
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
# RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
|
||||||
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
# (probably a result of a workaround for the bug in Apple implementation of ECDSA)
|
||||||
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
|
||||||
@ -1313,6 +1301,10 @@ do
|
|||||||
DELAY=$2
|
DELAY=$2
|
||||||
shift 2
|
shift 2
|
||||||
;;
|
;;
|
||||||
|
--cafile)
|
||||||
|
CACERTS="$2"
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
--capath)
|
--capath)
|
||||||
CAPATH="$2"
|
CAPATH="$2"
|
||||||
shift 2
|
shift 2
|
||||||
@ -1380,6 +1372,19 @@ if [[ $TEST_CURVES == "True" ]]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# find a list of trusted CAs on the local system, or use the provided list
|
||||||
|
if [[ -z "$CACERTS" ]]; then
|
||||||
|
for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
|
||||||
|
if [[ -e "$f" ]]; then
|
||||||
|
CACERTS="$f"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
if [[ ! -e "$CACERTS" ]]; then
|
||||||
|
CACERTS="$DIRNAMEPATH/ca-bundle.crt"
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ $VERBOSE != 0 ]] ; then
|
if [[ $VERBOSE != 0 ]] ; then
|
||||||
[[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
|
[[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
|
||||||
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"
|
||||||
|
Loading…
Reference in New Issue
Block a user