[TLS] Straighten out defaults for client-side files.

xrootd · Oct 7, 2019 · adc7608 · adc7608
1 parent 176adb6
commit adc7608
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/src/XrdTls/XrdTlsContext.cc b/src/XrdTls/XrdTlsContext.cc
@@ -310,17 +310,22 @@ XrdTlsContext::XrdTlsContext(const char *cert,  const char *key,
 
 // If no CA cert information is specified and this is not a server context,
 // then get the paths from the environment. They must exist as we need to
-// verify peer certs in order to verify target host names client-side.
+// verify peer certs in order to verify target host names client-side. We
+// also use this setupt to see if we should use a specific cert and key.
 //
-   if (!caDir && !caFile && !(opts & servr))
-      {caDir  = getenv("X509_CERT_DIR");
-       caFile = getenv("X509_CERT_FILE");
-       if (!caDir && !caFile)
-          {XrdTlsGlobal::msgCB("Tls_Context", "Unable to determine the "
-                         "location of trusted CA certificates to verify "
-                         "peer identify; this is required!", false);
-           return;
+   if (!(opts & servr))
+      {if (!caDir && !caFile)
+          {caDir  = getenv("X509_CERT_DIR");
+           caFile = getenv("X509_CERT_FILE");
+           if (!caDir && !caFile)
+              {XrdTlsGlobal::msgCB("Tls_Context", "Unable to determine the "
+                             "location of trusted CA certificates to verify "
+                             "peer identify; this is required!", false);
+               return;
+              }
           }
+       if (!cert) cert = getenv("X509_USER_PROXY");
+       if (!key)  key  = getenv("X509_USER_KEY");
       }
 
 // Before we try to use any specified files, make sure they exist, are of

diff --git a/src/XrdTls/XrdTlsContext.hh b/src/XrdTls/XrdTlsContext.hh
@@ -112,9 +112,13 @@ const char     *Init();
 //!            Otherwise, the cadir value is obtained from the X509_CERT_DIR
 //!            envar and the cafile value is obtained from the X509_CERT_File
 //!            envar. If both are nil, context creation fails.
-//!         b) You should immediately call Context() after instantiating this
+//!         b) Additionally for client-side contructions, if cert or key is
+//!            not specified the location come from X509_USER_PROXY and
+//!            X509_USER_KEY. These may be nil in which case a generic
+//!            context is created with a local key-pair and nor certificate.
+//!         c) You should immediately call Context() after instantiating this
 //!            object. A return value of zero means that construction failed.
-//!         c) Failure messages are routed to the message callback function
+//!         d) Failure messages are routed to the message callback function
 //!            during construction.
 //------------------------------------------------------------------------