From abe4927d695dc762f3879765c3bb7b85dd4d4ba9 Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Sun, 27 Jul 2008 18:23:42 +0300 Subject: [PATCH] 1022: NEWS and option documentation --- NEWS | 6 +++++- src/network/ssl/ssl.c | 24 +++++++++++++++++++----- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 7af8673f..a02c1088 100644 --- a/NEWS +++ b/NEWS @@ -21,10 +21,14 @@ includes the changes listed under "ELinks 0.11.4.GIT now" below. JS_CallFunction, which can crash if given a closure. * critical bug 1031: Use the same JSRuntime for both user SMJS and scripts on web pages, to work around SpiderMonkey bug 378918. +* bug 1022: Add connection.ssl.trusted_ca_file setting for GnuTLS. + Before this, ELinks did not trust any certificate authorities when + it used GnuTLS, so certificate verification always failed if you + enabled it at connection.ssl.cert_verify. * bug 1040: Blacklist servers that don't support TLS. This reduces SSL errors especially in HTTP POST requests using GnuTLS. * minor bug 951: SpiderMonkey scripting objects used to prevent ELinks - from removing files from the memory cache + from removing files from the memory cache. Bugs that should be removed from NEWS before the 0.12.0 release: diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index c9c9243d..9629065e 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -142,7 +142,7 @@ init_gnutls(struct module *module) /* FIXME: check returned values. --witekfl */ gnutls_certificate_set_x509_trust_file(xcred, ca_file, GNUTLS_X509_FMT_PEM); - + gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); } @@ -160,12 +160,26 @@ done_gnutls(struct module *module) static struct option_info gnutls_options[] = { INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"), "cert_verify", 0, 0, - N_("Verify the peer's SSL certificate. Note that this\n" - "probably doesn't work properly at all with GnuTLS.")), -/* FIXME: Better description. */ + N_("Verify the peer's SSL certificate. If you enable\n" + "this, set also \"Trusted CA file\".")), + + /* The default value of the following option points to a file + * generated by the ca-certificates Debian package. Don't use + * CONFDIR here: if someone installs ELinks in $HOME and wants + * to have a user-specific trust list, he or she can just + * change the file name via the option manager. Distributors + * of binary packages should of course change the default to + * suit their systems. + * TODO: If the file name is relative, look in elinks_home? */ INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"), "trusted_ca_file", 0, "/etc/ssl/certs/ca-certificates.crt", - N_("The location of the trusted CA file.")), + N_("The location of a file containing certificates of\n" + "trusted certification authorities in PEM format.\n" + "ELinks then trusts certificates issued by these CAs.\n" + "If you change this option or the file, you must\n" + "restart ELinks for the changes to take effect.\n" + "This option affects GnuTLS but not OpenSSL.")), + NULL_OPTION_INFO, };