Enhancement #350
closed
Allow CA mode check store to be a file instead of a directory
100%
Description
I use Bip on Fedora, which has a feature in the last few versions called Shared System Certificates - https://fedoraproject.org/wiki/Features/SharedSystemCertificates - which provides a system-wide store of trusted CAs, hooks into various apps and libraries, and some tools for managing it. It's a neat feature.
It doesn't provide a representation of its data in the form that Bip wants for its 'ssl_check_store' parameter when operating in CA mode, though - bip expects a directory full of .pems with a c_rehash-generated index, the Fedora system only provides bundles in various formats.
So, I fixed it. Attaching a patch which checks whether the check store is a file or a directory when activating it at the time it sets up a new server connection, and calls SSL_CTX_load_verify_locations() appropriately (the function already supports both approaches, it was only bip's use of it which restricted you to using a directory). With this applied I can set:
ssl_check_store = "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt";
and it works fine. I also checked that it errors correctly if set to a non-existent file.
I am no kind of C coder so it may be possible to improve on this, but it works fine for me. st_buf is defined where it is because defining it right after case SSL_CHECK_CA: appears to be a violation of C grammar.
Files
Updated by 
Updated by