From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 12 May 2022 14:07:41 +0000 (+0200)
Subject: Allow using system certificates not only on Windows
X-Git-Tag: release-1.16.0rc1~8^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F677%2Fhead;p=thirdparty%2Funbound.git

Allow using system certificates not only on Windows

OpenSSL has a way to load default file. That file might contain usable
certificates to verify common connections. Allow similar trust as on
windows and leave it on openssl package to provide sane defaults.

Also provide use-system-cert alias, because it is not windows specific
anymore.
---

diff --git a/util/config_file.c b/util/config_file.c
index ec1a0387e..bd60bdec9 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -546,6 +546,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("ssl-cert-bundle:", tls_cert_bundle)
 	else S_STR("tls-cert-bundle:", tls_cert_bundle)
 	else S_YNO("tls-win-cert:", tls_win_cert)
+	else S_YNO("tls-system-cert:", tls_win_cert)
 	else S_STRLIST("additional-ssl-port:", tls_additional_port)
 	else S_STRLIST("additional-tls-port:", tls_additional_port)
 	else S_STRLIST("tls-additional-ports:", tls_additional_port)
diff --git a/util/net_help.c b/util/net_help.c
index 8bef56890..114920e3f 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1271,7 +1271,13 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
 			}
 		}
 #else
-		(void)wincert;
+		if(wincert) {
+			if(!SSL_CTX_set_default_verify_paths(ctx)) {
+				log_crypto_err("error in default_verify_paths");
+				SSL_CTX_free(ctx);
+				return NULL;
+			}
+		}
 #endif
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 	}