1022: NEWS and option documentation

2024-06-24 00:56:14 +00:00 · 2008-07-27 18:23:42 +03:00 · 2008-07-27 18:23:42 +03:00 · abe4927d69
commit abe4927d69
parent 2e1983ce93
2 changed files with 24 additions and 6 deletions
--- a/6
+++ b/6
@ -21,10 +21,14 @@ includes the changes listed under "ELinks 0.11.4.GIT now" below.
  JS_CallFunction, which can crash if given a closure.
 * critical bug 1031: Use the same JSRuntime for both user SMJS and
  scripts on web pages, to work around SpiderMonkey bug 378918.
+* bug 1022: Add connection.ssl.trusted_ca_file setting for GnuTLS.
+  Before this, ELinks did not trust any certificate authorities when
+  it used GnuTLS, so certificate verification always failed if you
+  enabled it at connection.ssl.cert_verify.
 * bug 1040: Blacklist servers that don't support TLS.  This reduces
  SSL errors especially in HTTP POST requests using GnuTLS.
 * minor bug 951: SpiderMonkey scripting objects used to prevent ELinks
-  from removing files from the memory cache
+  from removing files from the memory cache.

 Bugs that should be removed from NEWS before the 0.12.0 release:

--- a/src/network/ssl/ssl.c
+++ b/src/network/ssl/ssl.c
@ -142,7 +142,7 @@ init_gnutls(struct module *module)
 		/* FIXME: check returned values. --witekfl */
 		gnutls_certificate_set_x509_trust_file(xcred, ca_file,
 			GNUTLS_X509_FMT_PEM);
-		
+
 		gnutls_certificate_set_verify_flags(xcred,
 				GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 	}
@ -160,12 +160,26 @@ done_gnutls(struct module *module)
 static struct option_info gnutls_options[] = {
 	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
 		"cert_verify", 0, 0,
-		N_("Verify the peer's SSL certificate. Note that this\n"
-		"probably doesn't work properly at all with GnuTLS.")),
-/* FIXME: Better description. */
+		N_("Verify the peer's SSL certificate.  If you enable\n"
+		   "this, set also \"Trusted CA file\".")),
+
+	/* The default value of the following option points to a file
+	 * generated by the ca-certificates Debian package.  Don't use
+	 * CONFDIR here: if someone installs ELinks in $HOME and wants
+	 * to have a user-specific trust list, he or she can just
+	 * change the file name via the option manager.  Distributors
+	 * of binary packages should of course change the default to
+	 * suit their systems.
+	 * TODO: If the file name is relative, look in elinks_home?  */
 	INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
 		"trusted_ca_file", 0, "/etc/ssl/certs/ca-certificates.crt",
-		 N_("The location of the trusted CA file.")),
+		N_("The location of a file containing certificates of\n"
+		   "trusted certification authorities in PEM format.\n"
+		   "ELinks then trusts certificates issued by these CAs.\n"
+		   "If you change this option or the file, you must\n"
+		   "restart ELinks for the changes to take effect.\n"
+		   "This option affects GnuTLS but not OpenSSL.")),
+
 	NULL_OPTION_INFO,
 };