mirror of
https://github.com/opnsense/src.git
synced 2026-02-03 20:49:35 -05:00
e9a7c3772a
Since the default store already points to /etc/ssl/certs and the CRLs are hashed there too it is trivial to bring libfetch applications to verifying the CRLs contained when doing a SSL connection. libfetch: ignore the error of an absence of a CRL ... when passing SSL_CRL_FILE / SSL_CRL_VERIFY. The situation isn't ideal, but since we don't know what we are going to deal with the situation is tricky. It's especially pointless in scenarios of pkg multi-repo cases where we need to deal wit a mixed bag of URLs during the same context. For the benefit of the doubt print the appropriate message for the user to see. In general it would be a bit safer if we could enforce the existence of a CRL distribution point as a mandatory CRL check and the others as an optional one with the warning as printed for the user to see. It would also need a strict mode if someone needed the other behaviour but since we did not have any consumers of SSL_CRL_FILE and --crl was broken for a long time it's safe to assume nobody uses this for these specific reasons. libfetch: add the error number to verify callback failure case |
||
|---|---|---|
| .. | ||
| common.c | ||
| common.h | ||
| fetch.3 | ||
| fetch.c | ||
| fetch.h | ||
| file.c | ||
| ftp.c | ||
| ftp.errors | ||
| http.c | ||
| http.errors | ||
| Makefile | ||
| Makefile.depend | ||
| Makefile.depend.options | ||