lib-iostream-ssl: Use default CA locations with client context

If no CA settings are provided, fall back to default CA settings from openssl library.
dovecot · May 20, 2018 · 96206dd · 96206dd
1 parent f04adc2
commit 96206dd
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -358,8 +358,14 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx,
 		}
 		have_ca = TRUE;
 	}
-
-	if (!have_ca && !set->allow_invalid_cert) {
+	if (!have_ca && ctx->client_ctx && !set->allow_invalid_cert) {
+		if (SSL_CTX_set_default_verify_paths(ctx->ssl_ctx) != 1) {
+			*error_r = t_strdup_printf(
+				"Can't load default CA locations: %s (ssl_client_ca_* settings missing)",
+				openssl_iostream_error());
+			return -1;
+		}
+	} else if (!have_ca && !set->allow_invalid_cert) {
 		*error_r = !ctx->client_ctx ?
 			"Can't verify remote client certs without CA (ssl_ca setting)" :
 			"Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)";