ca-trust-file in inadyn.conf has no effect for gnutls #391
Labels
Comments
troglobit
added a commit
that referenced
this issue
Oct 2, 2022
As mentioned in #391, setting the CA trust for the OpenSSL backend is deferred to ssl_open(). This patch defers the GnuTLS CA init in a similar fashion, allowing a custom user-defined trust file to be set also when using the GnuTLS backend. Verified manually with the FreeDNS plugin and three different CA files: - /etc/ssl/certs/ca-certificates.crt (everything works, CAFILE1) - /etc/ssl/certs/UCA_Global_G2_Root.pem (validation fails, expected) - /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt (works) Signed-off-by: Joachim Wiberg <[email protected]>
|
I've split this issue in two parts, first part fixed in 0dd3efa, the other I'd appreciate some help with. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since ssl_init is called before the first conf_parse_file, ssl_init does not have access to the value of ca-trust-file. openssl.c defers setting the ca location to ssl_open, so it does not have that problem.
This is likely the cause of #255, which I also experienced on Redhat Enterprise 8.
There's an additional problem that gnutls cannot use openssl "BEGIN TRUSTED CERTIFICATE" blocks, so cannot use the default CAFILE2.
The text was updated successfully, but these errors were encountered: