From: Mike Miller Date: Thu, 19 Jul 2012 05:10:42 +0000 (-0400) Subject: Check for system CA certificate file for GnuTLS X-Git-Tag: v4.06~1 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=25d2886a101fc762ccbedece2651e8e518971ef3;p=users%2Fdwmw2%2Fopenconnect.git Check for system CA certificate file for GnuTLS Look in certain well-known system paths for the default file to give to gnutls_certificate_set_x509_trust_file() if required. Auto-detection is inspired by the GnuTLS configure script. Signed-off-by: Mike Miller Signed-off-by: David Woodhouse --- diff --git a/configure.ac b/configure.ac index c067276d..d03c9fd2 100644 --- a/configure.ac +++ b/configure.ac @@ -179,6 +179,10 @@ if test "$USE_NLS" = "yes"; then fi AM_CONDITIONAL(USE_NLS, [test "$USE_NLS" = "yes"]) +AC_ARG_WITH([system-cafile], + AS_HELP_STRING([--with-system-cafile], + [Location of the default system CA certificate file for old (<3.0.20) GnuTLS versions])) + # We will use GnuTLS if it's requested, and if GnuTLS doesn't have DTLS # support then we'll *also* use OpenSSL for that, but it appears *only* # only in the openconnect executable and not the library (hence shouldn't @@ -209,6 +213,38 @@ if test "$with_gnutls" = "yes"; then [AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1)], []) AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust, [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], []) + if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" != "yes"; then + # We will need to tell GnuTLS the path to the system CA file. + if test "$with_system_cafile" = "yes" || test "$with_system_cafile" = ""; then + unset with_system_cafile + AC_MSG_CHECKING([For location of system CA trust file]) + for file in /etc/ssl/certs/ca-certificates.crt \ + /etc/pki/tls/cert.pem \ + /usr/local/share/certs/ca-root-nss.crt \ + /etc/ssl/cert.pem; do + if grep 'BEGIN CERTIFICATE-----' $file >/dev/null 2>&1; then + with_system_cafile=${file} + break + fi + done + AC_MSG_RESULT([${with_system_cafile-NOT FOUND}]) + elif test "$with_system_cafile" = "no"; then + AC_MSG_ERROR([You cannot disable the system CA certificate file.]) + fi + if test "$with_system_cafile" = ""; then + AC_MSG_ERROR([Unable to find a standard system CA certificate file.] + [Your GnuTLS requires a path to a CA certificate store. This is a file] + [which contains a list of the Certificate Authorities which are trusted.] + [Most distributions ship with this file in a standard location, but none] + [the known standard locations exist on your system. You should provide a] + [--with-system-cafile= argument to this configure script, giving the full] + [path to a default CA certificate file for GnuTLS to use. Also, please] + [send full details of your system, including 'uname -a' output and the] + [location of the system CA certificate store on your system, to the] + [openconnect-devel@lists.infradead.org mailing list.]) + fi + AC_DEFINE_UNQUOTED([DEFAULT_SYSTEM_CAFILE], ["$with_system_cafile"]) + fi AC_CHECK_FUNC(gnutls_pkcs12_simple_parse, [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], []) AC_CHECK_FUNC(gnutls_certificate_set_key, diff --git a/gnutls.c b/gnutls.c index 42f709ac..d9e550d8 100644 --- a/gnutls.c +++ b/gnutls.c @@ -1751,7 +1751,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo) gnutls_certificate_set_x509_system_trust(vpninfo->https_cred); #else gnutls_certificate_set_x509_trust_file(vpninfo->https_cred, - "/etc/pki/tls/certs/ca-bundle.crt", + DEFAULT_SYSTEM_CAFILE, GNUTLS_X509_FMT_PEM); #endif gnutls_certificate_set_verify_function (vpninfo->https_cred, diff --git a/www/changelog.xml b/www/changelog.xml index 70399477..3a44199a 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -17,6 +17,7 @@
  • OpenConnect HEAD
      +
    • Fix default CA location for non-Fedora systems with old GnuTLS.
    • Improve error handing when vpnc-script exits with error.
    • Handle PKCS#11 tokens which won't list keys without login.