diff options
author | Klemens Nanni | 2021-06-10 01:32:09 +0000 |
---|---|---|
committer | C. McEnroe | 2021-06-10 14:44:35 -0400 |
commit | 171a56ee2dcb18050edbcfaf62c121d35d06d43f (patch) | |
tree | d3c98f16a04ad4388c9b268ea5cddf44ba38f3ac | |
parent | 0a1cfca0f41ca4ee5d981253b8f151c67aacf4f6 (diff) |
Hoist loading default root certificates into ircConfig()
tls_connect_socket(3) in ircConnect() does that by default already unless tls_config_set_ca_file(3) was used. Loading CA certificates before connecting makes no practical difference except on OpenBSD where this allows for tighter unveil und pledge setups now that all required (TLS related) file I/O is finished by the time ircConnect() gets to do network I/O. In case of the hidden `-!' insecure flag which is implied by `-o' to print server certificates and exit, loading root certificates is not required at all; likewise, using explicit self signed server certificates will not involve certificate authorities either, hence load them only if needed.
-rw-r--r-- | irc.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/irc.c b/irc.c index c98193a..720e1ce 100644 --- a/irc.c +++ b/irc.c @@ -71,6 +71,12 @@ void ircConfig( if (error) errx(EX_NOINPUT, "%s: %s", trust, tls_config_error(config)); } + if (!insecure && !trust) { + const char *ca = tls_default_ca_cert_file(); + error = tls_config_set_ca_file(config, ca); + if (error) errx(EX_OSFILE, "%s: %s", ca, tls_config_error(config)); + } + if (cert) { const char *dirs = NULL; for (const char *path; NULL != (path = configPath(&dirs, cert));) { |