cmCurl: Honor OpenSSL certificate environment variables

Honor the OpenSSL environment variables used to specify the location of the TLS certificates, as specified in the `curl(1)` man page. Co-authored-by: Ludovic Courtès <ludo@gnu.org>
2022-09-13 17:03:45 -04:00 · 2022-09-13 17:03:45 -04:00 · 10bf34a2d9
commit 10bf34a2d9
parent 355b12af79
5 changed files with 37 additions and 0 deletions
--- a/Help/envvar/SSL_CERT_DIR.rst
+++ b/Help/envvar/SSL_CERT_DIR.rst
@ -0,0 +1,9 @@
+SSL_CERT_DIR
+------------
+
+.. versionadded:: 3.25
+
+.. include:: ENV_VAR.txt
+
+Specify default directory containing CA certificates.  It overrides
+the default CA directory used.
--- a/Help/envvar/SSL_CERT_FILE.rst
+++ b/Help/envvar/SSL_CERT_FILE.rst
@ -0,0 +1,9 @@
+SSL_CERT_FILE
+-------------
+
+.. versionadded:: 3.25
+
+.. include:: ENV_VAR.txt
+
+Specify the file name containing CA certificates.  It overrides the
+default, os-specific CA file used.
--- a/Help/manual/cmake-env-variables.7.rst
+++ b/Help/manual/cmake-env-variables.7.rst
@ -21,6 +21,8 @@ Environment Variables that Change Behavior
   :maxdepth: 1

   /envvar/CMAKE_PREFIX_PATH
+   /envvar/SSL_CERT_DIR
+   /envvar/SSL_CERT_FILE

 Environment Variables that Control the Build
 ============================================
--- a/Help/release/dev/env-tls-certs.rst
+++ b/Help/release/dev/env-tls-certs.rst
@ -0,0 +1,6 @@
+env-tls-certs
+-------------
+
+* The :envvar:`SSL_CERT_FILE` and :envvar:`SSL_CERT_DIR` environment
+  variables are now used to find certificate authorities for TLS/SSL
+  operations.
--- a/Source/cmCurl.cxx
+++ b/Source/cmCurl.cxx
@ -34,10 +34,21 @@
 std::string cmCurlSetCAInfo(::CURL* curl, const std::string& cafile)
 {
  std::string e;
+  std::string env_ca;
  if (!cafile.empty()) {
    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile.c_str());
    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
  }
+  /* Honor the user-configurable OpenSSL environment variables. */
+  else if (cmSystemTools::GetEnv("SSL_CERT_FILE", env_ca) &&
+           cmSystemTools::FileExists(env_ca, true)) {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, env_ca.c_str());
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+  } else if (cmSystemTools::GetEnv("SSL_CERT_DIR", env_ca) &&
+             cmSystemTools::FileIsDirectory(env_ca)) {
+    ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAPATH, env_ca.c_str());
+    check_curl_result(res, "Unable to set TLS/SSL Verify CAINFO: ");
+  }
 #ifdef CMAKE_FIND_CAFILE
 #  define CMAKE_CAFILE_FEDORA "/etc/pki/tls/certs/ca-bundle.crt"
  else if (cmSystemTools::FileExists(CMAKE_CAFILE_FEDORA, true)) {