lib-ldap, lib-http: Use ssl_iostream_settings.ca instead of ca_file

diff --git a/src/lib-http/test-http-client.c b/src/lib-http/test-http-client.c
index 267694ccd10b27864fb8e6c87fd73c96d40f1797..ea543c395cb7552206d723c6ae18985506831f43 100644 (file)
--- a/src/lib-http/test-http-client.c
+++ b/src/lib-http/test-http-client.c
@@ -385,8 +385,17 @@ int main(int argc, char *argv[])
        ssl_set.allow_invalid_cert = TRUE;
        if (stat("/etc/ssl/certs", &st) == 0 && S_ISDIR(st.st_mode))
                ssl_set.ca_dir = "/etc/ssl/certs"; /* debian */
-       if (stat("/etc/ssl/certs", &st) == 0 && S_ISREG(st.st_mode))
-               ssl_set.ca_file = "/etc/pki/tls/cert.pem"; /* redhat */
+       if (stat("/etc/ssl/certs", &st) == 0 && S_ISREG(st.st_mode)) {
+               /* redhat */
+               const char *ca_value;
+               if (settings_parse_read_file("/etc/pki/tls/cert.pem",
+                                            "/etc/pki/tls/cert.pem",
+                                            unsafe_data_stack_pool,
+                                            &ca_value, &error) < 0)
+                       i_fatal("%s", error);
+               settings_file_get(ca_value, unsafe_data_stack_pool,
+                                 &ssl_set.ca);
+       }
 
        http_client_settings_init(null_pool, &http_set);
        http_set.max_idle_time_msecs = 5*1000;

diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
index 6e322f693a45c132182857d743eb0cf6035c40ab..f33d374ebcec38a112f387b8fb3f71d87b98b84e 100644 (file)
--- a/src/lib-ldap/ldap-connection.c
+++ b/src/lib-ldap/ldap-connection.c
@@ -70,8 +70,15 @@ int ldap_connection_setup(struct ldap_connection *conn, const char **error_r)
        /* timelimit */
        ldap_set_option(conn->conn, LDAP_OPT_TIMELIMIT, &opt);
 
-       if (conn->ssl_set.ca_file != NULL)
-               ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTFILE, conn->ssl_set.ca_file);
+       if (conn->ssl_set.ca.content != NULL &&
+           conn->ssl_set.ca.content[0] != '\0') {
+               if (conn->ssl_set.ca.path[0] == '\0') {
+                       *error_r = "LDAP doesn't support inline ssl_client_ca_file - use a path";
+                       return -1;
+               }
+               ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTFILE,
+                               conn->ssl_set.ca.path);
+       }
        if (conn->ssl_set.ca_dir != NULL)
                ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTDIR, conn->ssl_set.ca_dir);
 
@@ -135,7 +142,7 @@ bool ldap_connection_have_settings(struct ldap_connection *conn,
                return FALSE;
        if (null_strcmp(conn->ssl_set.curve_list, set->ssl_set->curve_list) != 0)
                return FALSE;
-       if (null_strcmp(conn->ssl_set.ca_file, set->ssl_set->ca_file) != 0)
+       if (null_strcmp(conn->ssl_set.ca.path, set->ssl_set->ca.path) != 0)
                return FALSE;
        if (null_strcmp(conn->ssl_set.cert.cert.content,
                        set->ssl_set->cert.cert.content) != 0)
@@ -185,7 +192,9 @@ int ldap_connection_init(struct ldap_client *client,
                conn->set.ssl_set = &conn->ssl_set;
                conn->ssl_set.min_protocol = p_strdup(pool, set->ssl_set->min_protocol);
                conn->ssl_set.cipher_list = p_strdup(pool, set->ssl_set->cipher_list);
-               conn->ssl_set.ca_file = p_strdup(pool, set->ssl_set->ca_file);
+               conn->ssl_set.ca.path = p_strdup(pool, set->ssl_set->ca.path);
+               conn->ssl_set.ca.content =
+                       p_strdup(pool, set->ssl_set->ca.content);
                conn->ssl_set.cert.cert.path =
                        p_strdup(pool, set->ssl_set->cert.cert.path);
                conn->ssl_set.cert.cert.content =