Hoist loading default root certificates into ircConfig()
tls_connect_socket(3) in ircConnect() does that by default already unless tls_config_set_ca_file(3) was used. Loading CA certificates before connecting makes no practical difference except on OpenBSD where this allows for tighter unveil und pledge setups now that all required (TLS related) file I/O is finished by the time ircConnect() gets to do network I/O. In case of the hidden `-!' insecure flag which is implied by `-o' to print server certificates and exit, loading root certificates is not required at all; likewise, using explicit self signed server certificates will not involve certificate authorities either, hence load them only if needed.
This commit is contained in:
Klemens Nanni
C. McEnroe
parent
0a1cfca0f4
commit
171a56ee2d
6
irc.c
6
irc.c
@ -71,6 +71,12 @@ void ircConfig(
|
|||||||
if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config));
|
if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!insecure && !trust) {
|
||||||
|
const char *ca = tls_default_ca_cert_file();
|
||||||
|
error = tls_config_set_ca_file(config, ca);
|
||||||
|
if (error) errx(EX_OSFILE, "%s: %s", ca, tls_config_error(config));
|
||||||
|
}
|
||||||
|
|
||||||
if (cert) {
|
if (cert) {
|
||||||
const char *dirs = NULL;
|
const char *dirs = NULL;
|
||||||
for (const char *path; NULL != (path = configPath(&dirs, cert));) {
|
for (const char *path; NULL != (path = configPath(&dirs, cert));) {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user