libwget/ssl_wolfssl.c (wget_ssl_init): Use wolfSSL_CTX_load_system_CA_certs()

2026-02-01 14:41:08 +00:00 · 2024-01-06 19:00:29 +01:00
parent 1bab5454f9
commit 04b2b54377
1 changed files with 42 additions and 13 deletions
--- a/libwget/ssl_wolfssl.c
+++ b/libwget/ssl_wolfssl.c
@ -646,25 +646,55 @@ void wget_ssl_init(void)
 			if (!wolfSSL_CTX_set_cipher_list(ssl_ctx, ciphers))
 				error_printf(_("WolfSSL: Failed to set ciphers '%s'\n"), ciphers);

+		wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);
+
 		if (config.check_certificate) {
-			if (!wget_strcmp(config.ca_directory, "system"))
-				config.ca_directory = wget_ssl_default_cert_dir();
-			if (config.ca_file && !wget_strcmp(config.ca_file, "system"))
-				config.ca_file = wget_ssl_default_ca_bundle_path();
-			const char* dir = config.ca_directory;
-			const char* file = config.ca_file;
+			wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+			bool system_certs_loaded = false;
+
+#ifdef WOLFSSL_SYS_CA_CERTS
+			if (!wget_strcmp(config.ca_directory, "system") || !wget_strcmp(config.ca_file, "system")) {
+				if (wolfSSL_CTX_load_system_CA_certs(ssl_ctx) != WOLFSSL_SUCCESS) {
+					error_printf(_("Failed to load system certs\n"));
+				} else {
+					system_certs_loaded = true;
+					debug_printf("System certificates loaded\n");
+				}
+			}
+#endif
+
+			const char *dir = config.ca_directory;
+			const char *file = config.ca_file;
+			debug_printf("Certificates %s %s\n", dir, file);
+
+			if (config.ca_directory && !system_certs_loaded && !wget_strcmp(config.ca_directory, "system")) {
+				dir = wget_ssl_default_cert_dir();
+			}
+			if (config.ca_file && !system_certs_loaded && !wget_strcmp(config.ca_file, "system")) {
+				file = wget_ssl_default_ca_bundle_path();
+			}
+
 			if (dir && access(dir, F_OK))
 				dir = NULL;
 			else if (file && access(file, F_OK)) //yes else if, good to throw an error if neither are there, just don't want to do it if at least one exists
 				file = NULL;
-			// Load client certificates into WOLFSSL_CTX
-			if (wolfSSL_CTX_load_verify_locations(ssl_ctx, file, dir) != SSL_SUCCESS) {
-				error_printf(_("Failed to load CA pem: %s or cert dir: %s, ssl verification will likely fail.\n"), config.ca_file, config.ca_directory);
+
+			if (dir == NULL && file == NULL) {
+				if (!system_certs_loaded)
+					error_printf(_("Skipped loading CA certs. SSL verification will likely fail.\n"));
 				goto out;
 			}
-			wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
-		} else {
-			wolfSSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);
+
+			// Load client certificates into WOLFSSL_CTX
+			if (wolfSSL_CTX_load_verify_locations(ssl_ctx, file, dir) != SSL_SUCCESS) {
+				error_printf(_("Failed to load CA pem: %s or cert dir: %s, SSL verification will likely fail.\n"), file, dir);
+				goto out;
+			} else {
+				if (dir)
+					debug_printf("Certificates loaded from %s\n", dir);
+				if (file)
+					debug_printf("Certificates loaded from %s\n", file);
+			}
 		}

 /*		if (config.crl_file) {
@ -678,7 +708,6 @@ void wget_ssl_init(void)
 			wolfSSL_X509_STORE_set_flags(store, WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL);
 		}
 */
-		debug_printf("Certificates loaded\n");

 out:
 		init++;