diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 35f1cdc53..1faa6c14c 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -80,6 +80,7 @@ void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e); int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append); int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type); int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror); +const char *ha_default_cert_dir(); extern struct cert_exts cert_exts[]; extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err); diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 7753fb718..6a60d64f7 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1490,6 +1490,25 @@ end: return retval; } +/* + * return the default verify cert directory. + * + * It might provided by the SSL library or set in an environment variable + * (commonly SSL_CERT_DIR) + */ +const char *ha_default_cert_dir() +{ + const char *dir = NULL; + const char *certdir_varname = X509_get_default_cert_dir_env(); + + if (certdir_varname) + dir = getenv(certdir_varname); + if (dir == NULL) + dir = X509_get_default_cert_dir(); + + return dir; +} + /* * Try to load a ca-file from disk into the ca-file cache. * allows you to to stop emitting the errors. @@ -1519,7 +1538,7 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ } if (strcmp(path, "@system-ca") == 0) { - dir = X509_get_default_cert_dir(); + dir = ha_default_cert_dir(); if (!dir) { if (!shuterror) ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n"); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7a75d7c5b..b566c85a3 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8554,7 +8554,7 @@ static void ssl_register_build_options() #if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) memprintf(&ptr, "%s\nSSL library FIPS mode : %s", ptr, FIPS_mode() ? "yes" : "no"); #endif - memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, X509_get_default_cert_dir()); + memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, ha_default_cert_dir()); memprintf(&ptr, "%s\nSSL library supports :", ptr); for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) if (methodVersions[i].option)