[Spice-commits] gtk/spice-channel.c

[Christophe Fergau]

 gtk/spice-channel.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

New commits:
commit 4642a31a1e5c4c0a68398fd51549f1e6c4146d9f
Author: Christophe Fergeau <cfergeau at redhat.com>
Date:   Wed Sep 18 11:59:44 2013 +0200

    Use system-wide trust certificate store
    
    Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
    by default for its trust certificate store (to verify the certificates
    used during SPICE TLS connections).
    However, these days, progress is under-way to have a system-wide
    certificate store [1].
    In order to use it, we only need to call SSL_CTX_set_default_verify_paths()
    and it will automatically use the shared system CA store if the distro
    is properly setup.
    We only try to use that store if there was no user-provided CA file to use,
    or if we failed to load it.
    
    [1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index d0b93f4..ccf15d3 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2153,6 +2153,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     guint8 *ca;
     guint size;
     const gchar *ca_file;
+    int rc;
 
     g_return_val_if_fail(c->ctx != NULL, 0);
 
@@ -2184,13 +2185,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     }
 
     if (ca_file != NULL) {
-        int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+        rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
         if (rc != 1)
             g_warning("loading ca certs from %s failed", ca_file);
         else
             count++;
     }
 
+    if (count == 0) {
+        rc = SSL_CTX_set_default_verify_paths(c->ctx);
+        if (rc != 1)
+            g_warning("loading ca certs from default location failed");
+        else
+            count++;
+    }
+
     return count;
 }