From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Sun, 8 Mar 2015 20:11:06 +0100 Subject: gtls: add support for CURLOPT_CAPATH --- lib/vtls/gtls.c | 22 ++++++++++++++++++++++ lib/vtls/gtls.h | 3 +++ 2 files changed, 25 insertions(+) (limited to 'lib') diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 05aef1967..c7925404e 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -97,6 +97,10 @@ static bool gtls_inited = FALSE; # if (GNUTLS_VERSION_NUMBER >= 0x03020d) # define HAS_OCSP # endif + +# if (GNUTLS_VERSION_NUMBER >= 0x030306) +# define HAS_CAPATH +# endif #endif #ifdef HAS_OCSP @@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn, rc, data->set.ssl.CAfile); } +#ifdef HAS_CAPATH + if(data->set.ssl.CApath) { + /* set the trusted CA cert directory */ + rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred, + data->set.ssl.CApath, + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + infof(data, "error reading ca cert file %s (%s)\n", + data->set.ssl.CAfile, gnutls_strerror(rc)); + if(data->set.ssl.verifypeer) + return CURLE_SSL_CACERT_BADFILE; + } + else + infof(data, "found %d certificates in %s\n", + rc, data->set.ssl.CApath); + } +#endif + if(data->set.ssl.CRLfile) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index c3867e540..af1cb5b10 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void); /* Set the API backend definition to GnuTLS */ #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS +/* this backend supports the CAPATH option */ +#define have_curlssl_ca_path 1 + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup -- cgit v1.2.3