tls: Handle tls.ca_path and tls.ca_file correcty

Suppose we have the following configuration: [OUTPUT] Name http ... tls On tls.ca_file /var/cert/custom.crt With the old code, `tls.ca_file` was simply ignored, because the old code checked ca_path first, and just proceeded to load system certs if ca_path was not provided. Fix `tls_context_create()` to honor ca_path and ca_file properly. Signed-off-by: Fujimoto Seiji <[email protected]>
fluent · Jan 8, 2021 · f22b584 · f22b584
1 parent 253433b
commit f22b584
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -185,8 +185,15 @@ static void *tls_context_create(int verify, int debug,
     }
 
     /* ca_path | ca_file */
-    if (!ca_path) {
-        load_system_certificates(ctx);
+    if (ca_path) {
+        ret = SSL_CTX_load_verify_locations(ctx->ctx, NULL, ca_path);
+        if (ret != 1) {
+            flb_error("[tls] ca_path'%s' %lu: %s",
+                      ca_path,
+                      ERR_get_error(),
+                      ERR_error_string(ERR_get_error(), NULL));
+            goto error;
+        }
     }
     else if (ca_file) {
         ret = SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL);
@@ -198,6 +205,9 @@ static void *tls_context_create(int verify, int debug,
             goto error;
         }
     }
+    else {
+        load_system_certificates(ctx);
+    }
 
     /* crt_file */
     if (crt_file) {