Choose provider add a CAStore on command line

diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index cb3487376a168f43dcbd5743365049c368ce5e40..afaef8ee807578ac511b32c632ccfc18c20471ac 100644 (file)
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -38,8 +38,9 @@ static void usage()
 {
   cerr << "sdig" << endl;
   cerr << "Syntax: sdig IP-ADDRESS-OR-DOH-URL PORT QNAME QTYPE "
-          "[dnssec] [ednssubnet SUBNET/MASK] [hidesoadetails] [hidettl] "
-          "[recurse] [showflags] [tcp] [dot] [insecure] [subjectName name][xpf XPFDATA] [class CLASSNUM] "
+          "[dnssec] [ednssubnet SUBNET/MASK] [hidesoadetails] [hidettl] [recurse] [showflags] "
+          "[tcp] [dot] [insecure] [subjectName name] [caStore file] [tlsProvider provider] "
+          "[xpf XPFDATA] [class CLASSNUM] "
           "[proxy UDP(0)/TCP(1) SOURCE-IP-ADDRESS-AND-PORT DESTINATION-IP-ADDRESS-AND-PORT]"
        << endl;
 }
@@ -219,6 +220,8 @@ try {
   uint16_t qclass = QClass::IN;
   string proxyheader;
   string subjectName;
+  string caStore;
+  string tlsProvider = "openssl";
 
   for (int i = 1; i < argc; i++) {
     if ((string)argv[i] == "--help") {
@@ -283,12 +286,26 @@ try {
         qclass = atoi(argv[++i]);
       }
       else if (strcmp(argv[i], "subjectName") == 0) {
-        if (argc < i+2) {
+        if (argc < i + 2) {
           cerr << "subjectName needs an argument"<<endl;
           exit(EXIT_FAILURE);
         }
         subjectName = argv[++i];
       }
+      else if (strcmp(argv[i], "caStore") == 0) {
+        if (argc < i + 2) {
+          cerr << "caStore needs an argument"<<endl;
+          exit(EXIT_FAILURE);
+        }
+        caStore = argv[++i];
+      }
+      else if (strcmp(argv[i], "tlsProvider") == 0) {
+        if (argc < i + 2) {
+          cerr << "tlsProvider needs an argument"<<endl;
+          exit(EXIT_FAILURE);
+        }
+        tlsProvider = argv[++i];
+      }
       else if (strcmp(argv[i], "proxy") == 0) {
         if(argc < i+4) {
           cerr<<"proxy needs three arguments"<<endl;
@@ -385,8 +402,9 @@ try {
     std::shared_ptr<TLSCtx> tlsCtx{nullptr};
     if (dot) {
       TLSContextParameters tlsParams;
-      tlsParams.d_provider = "openssl";
+      tlsParams.d_provider = tlsProvider;
       tlsParams.d_validateCertificates = !insecureDoT;
+      tlsParams.d_caStore = caStore;
       tlsCtx = getTLSContext(tlsParams);
     }
     uint16_t counter = 0;

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index ca4ef085d5fd101fab62bd401d43ad9410fd73a6..dd6429b77bd8461c7f24af01486c2518aa8d936a 100644 (file)
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -431,11 +431,10 @@ public:
 
     registerOpenSSLUser();
 #if 0 // XXX
-      s_ticketsKeyIndex = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
-
-      if (s_ticketsKeyIndex == -1) {
-        throw std::runtime_error("Error getting an index for tickets key");
-      }
+    s_ticketsKeyIndex = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
+    
+    if (s_ticketsKeyIndex == -1) {
+      throw std::runtime_error("Error getting an index for tickets key");
     }
 #endif
 
@@ -470,9 +469,14 @@ public:
 #endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */
 
     if (params.d_validateCertificates) {
-      // XXX parameter!
-      if (SSL_CTX_set_default_verify_paths(d_tlsCtx.get()) != 1) {
-        warnlog("could not load default CA store");
+      if (params.d_caStore.empty())  {
+        if (SSL_CTX_set_default_verify_paths(d_tlsCtx.get()) != 1) {
+          throw std::runtime_error("Error adding the system's default trusted CAs");
+        }
+      } else {
+        if (SSL_CTX_load_verify_locations(d_tlsCtx.get(), params.d_caStore.c_str(), nullptr) != 1) {
+          throw std::runtime_error("Error adding the trusted CAs file " + params.d_caStore);
+        }
       }
 
       SSL_CTX_set_verify(d_tlsCtx.get(), SSL_VERIFY_PEER, nullptr);