[TW-1855] "Well-known" CA certificates not properly auto-loaded

[taskwarrior]

Flavio Poletti on 2016-10-01T19:27:50Z says:

GnuTLS usually ships a directory or a bundle of "well-known" CA certificates, which allow automatic verification of most "real" (i.e. non-autogenerated) certificates. These ones have to be loaded though, which is not done in the current release of Taskwarrior and results in users to manually configure the CA files (see https://gist.github.com/polettix/e8007a7f2064e7f133d93e060032a880 for a solution involving Let's Encrypt).

As of release 3.0.20 of GnuTLS there is a convenience function to load certificates installed in the system. The following patch (diff taken against branch 2.5.2) takes care to call it if possible.

diff --git a/src/TLSClient.cpp b/src/TLSClient.cpp index cb87d1d..434392b 100644

• -- a/src/TLSClient.cpp +++ b/src/TLSClient.cpp @@ -152,6 +152,13 @@ void TLSClient::init ( if (ret < 0) throw format ("TLS allocation error. {1}", gnutls_strerror (ret));

+#if GNUTLS_VERSION_NUMBER >= 0x030014

• // automatic loading of system installed CA certificates is available
• // only as of gnutls 3.0.20
• if ((ret = gnutls_certificate_set_x509_system_trust(_credentials)) < 0)
• throw format ("Bad System Trust. {1}", gnutls_strerror (ret)); +#endif

• if (_ca != "" && (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) throw format ("Bad CA file. {1}", gnutls_strerror (ret));

[taskwarrior]

Migrated metadata:

Created: 2016-10-01T19:27:50Z
Modified: 2016-12-19T17:13:33Z

[taskwarrior]

Paul Beckingham on 2016-12-19T17:13:33Z says:

Excellent. Thank you for the patch.