configure: --with-ca-fallback: use built-in TLS CA fallback

When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
author: Ludwig Nussel <ludwig.nussel@suse.de> 2015-03-24 13:25:17 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2016-02-08 14:45:58 +0100
commit: 7b55279d1d856c9ef19d942c2672a3d616254452 (patch)
tree: 178da7437e093731e538402eb33b893224611389 /lib/vtls/gtls.c
parent: 113f04e664b16b944e64498a73a4dab990fe9a68 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index a9702c4a4..2c7eb1729 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn,
   }
 #endif
 
+#ifdef CURL_CA_FALLBACK
+  /* use system ca certificate store as fallback */
+  if(data->set.ssl.verifypeer &&
+     !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+    gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
+  }
+#endif
+
   if(data->set.ssl.CRLfile) {
     /* set the CRL list file */
     rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
author	Ludwig Nussel <ludwig.nussel@suse.de>	2015-03-24 13:25:17 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2016-02-08 14:45:58 +0100
commit	7b55279d1d856c9ef19d942c2672a3d616254452 (patch)
tree	178da7437e093731e538402eb33b893224611389 /lib/vtls/gtls.c
parent	113f04e664b16b944e64498a73a4dab990fe9a68 (diff)