Merge pull request #54 from deFractal/local-ca-file

Optionally accept alternative default CA file and/or directory path at compile time

Makefile

@@ -26,6 +26,12 @@ OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2
 # DARWIN
 #OPTFLAGS += -DDARWIN
 
+# DARWIN, continued, if compiling for macOS with Homebrew
+#CFLAGS += -I/usr/local/opt/openssl/include
+#LDFLAGS += -L/usr/local/opt/openssl/lib
+#OPTFLAGS += -DDEFAULT_CA_FILE='"/usr/local/etc/openssl@1.1/cacert.pem"'
+#OPTFLAGS += -DDEFAULT_CA_DIR=NULL
+
 # CYGWIN
 #OPTFLAGS += -DCYGWIN
 

docs/proxytunnel.1.adoc

@@ -69,7 +69,8 @@ also be used for other proxy-traversing purposes like proxy bouncing.
 *-C*, *--cacert*=_filename/directory_::
     Specify a CA certificate file (or directory containing CA certificate(s))
     to trust when verifying a server SSL certificate. If a directory is provided,
-    it must be prepared with OpenSSL's c_rehash tool. (default: /etc/ssl/certs)
+    it must be prepared with OpenSSL's c_rehash tool. (default, unless changed at
+    compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs)
 
 *-F*, *--passfile*=_filename_::
     Use _filename_ for reading username and password for HTTPS proxy

ptstream.c

@@ -263,8 +263,16 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) {
 	X509* cert = NULL;
 	int status;
 	struct stat st_buf;
+#ifndef DEFAULT_CA_FILE
 	const char *ca_file = NULL;
+#else
+	const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from Makefile */
+#endif /* !DEFAULT_CA_FILE */
+#ifndef DEFAULT_CA_DIR
 	const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */
+#else
+	const char *ca_dir = DEFAULT_CA_DIR;  /* Default cert directory from Makefile */
+#endif /* !DEFAULT_CA_DIR */
 	long vresult;
 	char *peer_host = NULL;
 	char proxy_arg_fmt[32];