[vlc-commits] gnutls: add an option to disable system trust

Rémi Denis-Courmont git at videolan.org
Sun Feb 26 18:51:04 CET 2017 

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sun Feb 26 18:04:37 2017 +0200| [05fe80053d1586fa8340804fc90ee96395d39fc1] | committer: Rémi Denis-Courmont

gnutls: add an option to disable system trust

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=05fe80053d1586fa8340804fc90ee96395d39fc1
---

 modules/misc/gnutls.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index f6440ea..9373537 100644
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -556,12 +556,15 @@ static int OpenClient (vlc_tls_creds_t *crd)
         return VLC_EGENERIC;
     }
 
-    val = gnutls_certificate_set_x509_system_trust (x509);
-    if (val < 0)
-        msg_Err (crd, "cannot load trusted Certificate Authorities: %s",
-                 gnutls_strerror (val));
-    else
-        msg_Dbg (crd, "loaded %d trusted CAs", val);
+    if (var_InheritBool(crd, "gnutls-system-trust"))
+    {
+        val = gnutls_certificate_set_x509_system_trust(x509);
+        if (val < 0)
+            msg_Err(crd, "cannot load trusted Certificate Authorities "
+                    "from %s: %s", "system", gnutls_strerror(val));
+        else
+            msg_Dbg(crd, "loaded %d trusted CAs from %s", val, "system");
+    }
 
     gnutls_certificate_set_verify_flags (x509,
                                          GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
@@ -724,6 +727,11 @@ static void CloseServer (vlc_tls_creds_t *crd)
 }
 #endif
 
+#define SYSTEM_TRUST_TEXT N_("Use system trust database")
+#define SYSTEM_TRUST_LONGTEXT N_( \
+    "Trust the root certificates of Certificate Authorities stored in " \
+    "the operating system trust database to authenticate TLS sessions.")
+
 #define PRIORITIES_TEXT N_("TLS cipher priorities")
 #define PRIORITIES_LONGTEXT N_("Ciphers, key exchange methods, " \
     "hash functions and compression methods can be selected. " \
@@ -750,6 +758,8 @@ vlc_module_begin ()
     set_callbacks( OpenClient, CloseClient )
     set_category( CAT_ADVANCED )
     set_subcategory( SUBCAT_ADVANCED_NETWORK )
+    add_bool("gnutls-system-trust", true, SYSTEM_TRUST_TEXT,
+             SYSTEM_TRUST_LONGTEXT, true)
     add_string ("gnutls-priorities", "NORMAL", PRIORITIES_TEXT,
                 PRIORITIES_LONGTEXT, false)
         change_string_list (priorities_values, priorities_text)

More information about the vlc-commits mailing list