From acf455911cd0b97e247bcd06e365a3fea0ba208c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 8 Dec 2016 13:49:11 +0100
Subject: [PATCH] Default SSL_ca_file to system-wide store
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch provides a default value for a file with CA certificates.
Similar idea was implemented in upstream version 1.968.

This patch also decouples default values for CA and client
certificates. This allows to specify SSL_cert_file and SSL_key_file
while not specifying SSL_ca_path and SSL_ca_file to still use
default values for them.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/IO/Socket/SSL.pm | 65 +++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 44 insertions(+), 21 deletions(-)

diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index 4720606..2ea454b 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -326,7 +326,7 @@ sub configure_SSL {
 	    "*******************************************************************\n".
 	    " Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client\n".
 	    " is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER\n".
-	    " together with SSL_ca_file|SSL_ca_path for verification.\n".
+	    " possibly with SSL_ca_file|SSL_ca_path for verification.\n".
 	    " If you really don't want to verify the certificate and keep the\n".
 	    " connection open to Man-In-The-Middle attacks please set\n".
 	    " SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.\n".
@@ -339,24 +339,54 @@ sub configure_SSL {
     %$arg_hash = ( %default_args, %$arg_hash );
 
     # use default path to certs and ca unless another one was given
-    # don't mix default path with user specified path, either we use all
-    # or no defaults
+    # don't mix default paths with user specified paths for CA or client
+    # certificates, either we use all from the grup or no defaults
     {
-	my $use_default = 1;
-	for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file SSL_ca_file SSL_ca_path )) {
+	my $use_default_ca = 1;
+	my $dont_use_system_ca_file = (exists $arg_hash->{SSL_ca_file} and
+		not defined($arg_hash->{SSL_ca_file}));
+	for (qw( SSL_ca_file SSL_ca_path )) {
 	    next if ! defined $arg_hash->{$_};
 	    # some apps set keys '' to signal that it is not set, replace with undef
 	    if ( $arg_hash->{$_} eq '' ) {
 		$arg_hash->{$_} = undef;
 		next;
 	    }
-	    $use_default = 0;
+	    $use_default_ca = 0;
 	}
-	if ( $use_default ) {
+	my $use_default_client = 1;
+	for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file )) {
+	    next if ! defined $arg_hash->{$_};
+	    # some apps set keys '' to signal that it is not set, replace with undef
+	    if ( $arg_hash->{$_} eq '' ) {
+		$arg_hash->{$_} = undef;
+		next;
+	    }
+	    $use_default_client = 0;
+	}
+	if ( $use_default_ca ) {
 	    my %ca = 
 		-f 'certs/my-ca.pem' ? ( SSL_ca_file => 'certs/my-ca.pem' ) :
 		-d 'ca/' ? ( SSL_ca_path => 'ca/' ) :
 		();
+	    if (! %ca and !$dont_use_system_ca_file) {
+		require Mozilla::CA;
+		%ca = ( SSL_ca_file => Mozilla::CA::SSL_ca_file() );
+	    }
+	    %$arg_hash = ( %$arg_hash, %ca );
+	} else {
+	    if ( defined( my $f = $arg_hash->{SSL_ca_file} )) {
+		die "SSL_ca_file $f does not exist" if ! -f $f;
+		die "SSL_ca_file $f is not accessable" if ! -r _;
+	    }
+	    if ( defined( my $d = $arg_hash->{SSL_ca_path} )) {
+		die "only SSL_ca_path or SSL_ca_file should be given"
+		    if defined $arg_hash->{SSL_ca_file};
+		die "SSL_ca_path $d does not exist" if ! -d $d;
+		die "SSL_ca_path $d is not accessable" if ! -r _;
+	    }
+	}
+	if ( $use_default_client ) {
 	    my %certs = $is_server ? (
 		SSL_key_file => 'certs/server-key.pem',
 		SSL_cert_file => 'certs/server-cert.pem',
@@ -364,7 +394,7 @@ sub configure_SSL {
 		SSL_key_file => 'certs/client-key.pem',
 		SSL_cert_file => 'certs/client-cert.pem',
 	    );
-	    %$arg_hash = ( %$arg_hash, %ca, %certs );
+	    %$arg_hash = ( %$arg_hash, %certs );
 	} else {
 	    for(qw(SSL_cert_file SSL_key_file)) {
 		defined( my $file = $arg_hash->{$_} ) or next;
@@ -373,16 +403,6 @@ sub configure_SSL {
 		    die "$_ $f is not accessable" if ! -r _;
 		}
 	    }
-	    if ( defined( my $f = $arg_hash->{SSL_ca_file} )) {
-		die "SSL_ca_file $f does not exist" if ! -f $f;
-		die "SSL_ca_file $f is not accessable" if ! -r _;
-	    }
-	    if ( defined( my $d = $arg_hash->{SSL_ca_path} )) {
-		die "only SSL_ca_path or SSL_ca_file should be given" 
-		    if defined $arg_hash->{SSL_ca_file};
-		die "SSL_ca_path $d does not exist" if ! -d $d;
-		die "SSL_ca_path $d is not accessable" if ! -r _;
-	    }
 	}
     }
 
@@ -1937,8 +1957,11 @@ IO::Socket::SSL -- SSL sockets with IO::Socket interface
 
 	# certificate verification
 	SSL_verify_mode => SSL_VERIFY_PEER,
+
+	# location of CA store
+	# need only be given if default store should not be used
 	SSL_ca_path => '/etc/ssl/certs', # typical CA path on Linux
-	# on OpenBSD instead: SSL_ca_file => '/etc/ssl/cert.pem'
+	SSL_ca_file => '/etc/ssl/cert.pem', # typical CA file on BSD
 
 	# easy hostname verification 
 	SSL_verifycn_name => 'foo.bar', # defaults to PeerHost
@@ -2210,9 +2233,9 @@ password required to decrypt your private key.
 =item SSL_ca_file
 
 If you want to verify that the peer certificate has been signed by a reputable
-certificate authority, then you should use this option to locate the file
+certificate authority, then you can use this option to locate the file
 containing the certificateZ<>(s) of the reputable certificate authorities if it is
-not already in the file F<certs/my-ca.pem>.
+not already in the file F<certs/my-ca.pem> or in a system-wide certificate authority certificates store.
 If you definitely want no SSL_ca_file used you should set it to undef.
 
 =item SSL_ca_path
-- 
2.7.4