From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 21 May 2016 21:30:25 +0000 (+1200)
Subject: GnuTLS: Simplify trusted CA loading
X-Git-Tag: SQUID_4_0_11~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f4d3a570dd023d05836b7eb1f2d5d25b502f8c2;p=thirdparty%2Fsquid.git

GnuTLS: Simplify trusted CA loading
---

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 74c7a9673c..c85cac4bfe 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -573,6 +573,22 @@ Security::PeerOptions::updateContextNpn(Security::ContextPtr &ctx)
     //       it does support ALPN per-session, not per-context.
 }
 
+static const char *
+loadSystemTrustedCa(Security::ContextPtr &ctx)
+{
+#if USE_OPENSSL
+    if (SSL_CTX_set_default_verify_paths(ctx) == 0)
+        return ERR_error_string(ERR_get_error(), nullptr));
+
+#elif USE_GNUTLS
+    auto x = gnutls_certificate_set_x509_system_trust(ctx);
+    if (x < 0)
+        return gnutls_strerror(x);
+
+#endif
+    return nullptr;
+}
+
 void
 Security::PeerOptions::updateContextCa(Security::ContextPtr &ctx)
 {
@@ -594,17 +610,9 @@ Security::PeerOptions::updateContextCa(Security::ContextPtr &ctx)
     if (!flags.tlsDefaultCa)
         return;
 
-#if USE_OPENSSL
-    if (!SSL_CTX_set_default_verify_paths(ctx)) {
-        const int ssl_error = ERR_get_error();
-        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default trusted CA : "
-               << ERR_error_string(ssl_error, NULL));
+    if (const char *err = loadSystemTrustedCa(ctx)) {
+        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default trusted CA : " << err);
     }
-#elif USE_GNUTLS
-    if (gnutls_certificate_set_x509_system_trust(ctx) != GNUTLS_E_SUCCESS) {
-        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default trusted CA.");
-    }
-#endif
 }
 
 void