diff --git a/acinclude.m4 b/acinclude.m4 index 6ed7ffbc1..ca0186984 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), capath="no" elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then dnl --with-ca-path given - if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then - AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL]) + if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then + AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL]) fi capath="$want_capath" ca="no" diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3 index 642953dc9..6695f9f3c 100644 --- a/docs/libcurl/opts/CURLOPT_CAPATH.3 +++ b/docs/libcurl/opts/CURLOPT_CAPATH.3 @@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. .SH EXAMPLE TODO .SH AVAILABILITY -This option is OpenSSL-specific and does nothing if libcurl is built to use -GnuTLS. NSS-powered libcurl provides the option only for backward -compatibility. +This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS +backend provides the option only for backward compatibility. .SH RETURN VALUE Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 05aef1967..c7925404e 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -97,6 +97,10 @@ static bool gtls_inited = FALSE; # if (GNUTLS_VERSION_NUMBER >= 0x03020d) # define HAS_OCSP # endif + +# if (GNUTLS_VERSION_NUMBER >= 0x030306) +# define HAS_CAPATH +# endif #endif #ifdef HAS_OCSP @@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn, rc, data->set.ssl.CAfile); } +#ifdef HAS_CAPATH + if(data->set.ssl.CApath) { + /* set the trusted CA cert directory */ + rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred, + data->set.ssl.CApath, + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + infof(data, "error reading ca cert file %s (%s)\n", + data->set.ssl.CAfile, gnutls_strerror(rc)); + if(data->set.ssl.verifypeer) + return CURLE_SSL_CACERT_BADFILE; + } + else + infof(data, "found %d certificates in %s\n", + rc, data->set.ssl.CApath); + } +#endif + if(data->set.ssl.CRLfile) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index c3867e540..af1cb5b10 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void); /* Set the API backend definition to GnuTLS */ #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS +/* this backend supports the CAPATH option */ +#define have_curlssl_ca_path 1 + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup