examples/cacertinmem: ignore cert-already-exists error

- Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
  since it's possible the cert may have already been loaded by libcurl.

- Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
  Instead have it direct the reader to this cacertinmem.c example.

- Fix the CA certificate to use the right CA for example.com, Digicert.

Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
Reported-by: Thomas van Hesteren

Closes https://github.com/curl/curl/pull/2182

1 files changed, 2 insertions, 72 deletions

diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
index 6a6c57f35..929e0ee27 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -62,79 +62,9 @@ NULL
 .SH PROTOCOLS
 All TLS based protocols: HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
 .SH EXAMPLE
-.nf
-/* OpenSSL specific */
-
-#include <openssl/ssl.h>
-#include <curl/curl.h>
-#include <stdio.h>
-
-static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm)
-{
-  X509_STORE *store;
-  X509 *cert=NULL;
-  BIO *bio;
-  char *mypem = /* example CA cert PEM - shortened */
-    "-----BEGIN CERTIFICATE-----\\n"
-    "MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290\\n"
-    "IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB\\n"
-    "IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA\\n"
-    "Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO\\n"
-    "GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk\\n"
-    "zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW\\n"
-    "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\\n"
-    "-----END CERTIFICATE-----\\n";
-  /* get a BIO */
-  bio=BIO_new_mem_buf(mypem, -1);
-  /* use it to read the PEM formatted certificate from memory into an
-   * X509 structure that SSL can use
-   */
-  PEM_read_bio_X509(bio, &cert, 0, NULL);
-  if(cert == NULL)
-    printf("PEM_read_bio_X509 failed...\\n");
-
-  /* get a pointer to the X509 certificate store (which may be empty) */
-  store=SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
-
-  /* add our certificate to this store */
-  if(X509_STORE_add_cert(store, cert)==0)
-    printf("error adding certificate\\n");
-
-  /* decrease reference counts */
-  X509_free(cert);
-  BIO_free(bio);
-
-  /* all set to go */
-  return CURLE_OK;
-}
-
-int main(void)
-{
-  CURL * ch;
-  CURLcode rv;
-
-  rv=curl_global_init(CURL_GLOBAL_ALL);
-  ch=curl_easy_init();
-  rv=curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM");
-  rv=curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 1L);
-  rv=curl_easy_setopt(ch, CURLOPT_URL, "https://www.example.com/");
-
-  /* Retrieve page using cacerts' certificate -> will succeed
-   * load the certificate by installing a function doing the necessary
-   * "modifications" to the SSL CONTEXT just before link init
-   */
-  rv=curl_easy_setopt(ch, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function);
-  rv=curl_easy_perform(ch);
-  if(rv==CURLE_OK)
-    printf("*** transfer succeeded ***\\n");
-  else
-    printf("*** transfer failed ***\\n");
+See cacertinmem.c in docs/examples directory for usage example.
 
-  curl_easy_cleanup(ch);
-  curl_global_cleanup();
-  return rv;
-}
-.fi
+https://curl.haxx.se/libcurl/c/cacertinmem.html
 .SH AVAILABILITY
 Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Added in
 7.54.0 for mbedTLS. Other SSL backends not supported.