From f4cb178f6c1d5729b0f84d59d6f3c8cf428af2c5 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Wed, 28 Oct 2015 07:31:26 +0100 Subject: [PATCH] libfetch: use default CA path rather than default CA file. The default CA file set by FreeBSD is only available when using the LibreSSL provided CA file, and we've decided to use the CA path by default. Discussed with @dominikh. --- lib/fetch/common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/fetch/common.c b/lib/fetch/common.c index 9640799f..bad27aa0 100644 --- a/lib/fetch/common.c +++ b/lib/fetch/common.c @@ -831,9 +831,9 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) const char *ca_cert_file, *ca_cert_path, *crl_file; if (getenv("SSL_NO_VERIFY_PEER") == NULL) { - ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ? - getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem"; - ca_cert_path = getenv("SSL_CA_CERT_PATH"); + ca_cert_file = getenv("SSL_CA_CERT_FILE"); + ca_cert_path = getenv("SSL_CA_CERT_PATH") != NULL ? + getenv("SSL_CA_CERT_PATH") : X509_get_default_cert_dir(); if (verbose) { fetch_info("Peer verification enabled"); if (ca_cert_file != NULL)