aboutsummaryrefslogtreecommitdiffstats
path: root/lib/Net
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-13 17:43:52 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-13 18:44:18 +0100
commit8c43ed9baa905d907a6aad77de2282a852ba69a9 (patch)
tree4b8ecfe08d1aafcfde68cce0fb63b1bf4ec9542d /lib/Net
parentba9d8af01141a6d5d5b98a0e249c311814b844a6 (diff)
libinterimap: use default locations for trusted CA certificates when neither CAfile nor CApath are set.
In particular, OpenSSL's default locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR environment variables, see SSL_CTX_load_verify_locations(3ssl). This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is used).
Diffstat (limited to 'lib/Net')
-rw-r--r--lib/Net/IMAP/InterIMAP.pm10
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 5bdd954..89e5cba 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1776,10 +1776,14 @@ sub _start_ssl($$) {
$self->panic("Failed requirement libssl >=1.0.2") if $OPENSSL_VERSION < 0x1000200f;
# verify certificate chain
- my ($file, $path) = ($self->{SSL_CAfile} // '', $self->{SSL_CApath} // '');
- if ($file ne '' or $path ne '') {
+ if (defined $self->{SSL_CAfile} or defined $self->{SSL_CApath}) {
$self->_ssl_error("SSL_CTX_load_verify_locations()")
- unless Net::SSLeay::CTX_load_verify_locations($ctx, $file, $path) == 1;
+ unless Net::SSLeay::CTX_load_verify_locations($ctx,
+ $self->{SSL_CAfile} // '', $self->{SSL_CApath} // '') == 1;
+ } else {
+ $self->log("Using default locations for trusted CA certificates") if $self->{debug};
+ $self->_ssl_error("SSL_CTX_set_default_verify_paths()")
+ unless Net::SSLeay::CTX_set_default_verify_paths($ctx) == 1;
}
# verify DNS hostname or IP literal