From e448313d686bd4ef3b99778ea88f666a3c82e040 Mon Sep 17 00:00:00 2001 From: David <31015441+deFractal@users.noreply.github.com> Date: Wed, 4 Aug 2021 16:45:07 -0700 Subject: [PATCH 1/3] Add option for local default OpenSSL 1.1 CA file Provides non-empty default for Homebrew on macOS --- ptstream.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ptstream.c b/ptstream.c index 0ef5f57..46f7e4f 100644 --- a/ptstream.c +++ b/ptstream.c @@ -263,8 +263,13 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { X509* cert = NULL; int status; struct stat st_buf; +#ifndef LOCAL_OPENSSL11 const char *ca_file = NULL; const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */ +#else + const char *ca_file = "/usr/local/etc/openssl@1.1/cacert.pem"; + const char *ca_dir = NULL; +#endif /* !LOCAL_OPENSSL11 */ long vresult; char *peer_host = NULL; char proxy_arg_fmt[32]; From a269b94ad8f6411225f55c79e7f4207c1621f5d1 Mon Sep 17 00:00:00 2001 From: David <31015441+deFractal@users.noreply.github.com> Date: Wed, 4 Aug 2021 18:13:37 -0700 Subject: [PATCH 2/3] Accept alt ca_file and ca_dir as compiler options --- ptstream.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ptstream.c b/ptstream.c index 46f7e4f..e11a958 100644 --- a/ptstream.c +++ b/ptstream.c @@ -263,13 +263,16 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { X509* cert = NULL; int status; struct stat st_buf; -#ifndef LOCAL_OPENSSL11 +#ifndef DEFAULT_CA_FILE const char *ca_file = NULL; +#else + const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from in Makefile */ +#endif /* !DEFAULT_CA_FILE */ +#ifndef DEFAULT_CA_DIR const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */ #else - const char *ca_file = "/usr/local/etc/openssl@1.1/cacert.pem"; - const char *ca_dir = NULL; -#endif /* !LOCAL_OPENSSL11 */ + const char *ca_dir = DEFAULT_CA_DIR; /* Default cert directory from Makefile */ +#endif /* !DEFAULT_CA_DIR */ long vresult; char *peer_host = NULL; char proxy_arg_fmt[32]; From 8cfcd00045db0489ce23dbafacb7f6742fe094c6 Mon Sep 17 00:00:00 2001 From: David <31015441+deFractal@users.noreply.github.com> Date: Wed, 4 Aug 2021 19:03:12 -0700 Subject: [PATCH 3/3] Document CA file & dir compiler options and fix a trivia typo --- Makefile | 6 ++++++ docs/proxytunnel.1.adoc | 3 ++- ptstream.c | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d2fc076..1da0ce7 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,12 @@ OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 # DARWIN #OPTFLAGS += -DDARWIN +# DARWIN, continued, if compiling for macOS with Homebrew +#CFLAGS += -I/usr/local/opt/openssl/include +#LDFLAGS += -L/usr/local/opt/openssl/lib +#OPTFLAGS += -DDEFAULT_CA_FILE='"/usr/local/etc/openssl@1.1/cacert.pem"' +#OPTFLAGS += -DDEFAULT_CA_DIR=NULL + # CYGWIN #OPTFLAGS += -DCYGWIN diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 7d136ee..0be08f8 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -69,7 +69,8 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-C*, *--cacert*=_filename/directory_:: Specify a CA certificate file (or directory containing CA certificate(s)) to trust when verifying a server SSL certificate. If a directory is provided, - it must be prepared with OpenSSL's c_rehash tool. (default: /etc/ssl/certs) + it must be prepared with OpenSSL's c_rehash tool. (default, unless changed at + compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs) *-F*, *--passfile*=_filename_:: Use _filename_ for reading username and password for HTTPS proxy diff --git a/ptstream.c b/ptstream.c index e11a958..8d46c69 100644 --- a/ptstream.c +++ b/ptstream.c @@ -266,7 +266,7 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { #ifndef DEFAULT_CA_FILE const char *ca_file = NULL; #else - const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from in Makefile */ + const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from Makefile */ #endif /* !DEFAULT_CA_FILE */ #ifndef DEFAULT_CA_DIR const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */