summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemko Tronçon <git@el-tramo.be>2012-10-13 08:55:05 (GMT)
committerRemko Tronçon <git@el-tramo.be>2012-10-13 08:55:05 (GMT)
commit2f6ab703ff580e49e15d37835fa25f414bcdcd56 (patch)
tree2d47805cec88fa1c95d47d24edb1ad42f1cff9b4
parent3cf3828562d54db0ddaacfcea755b15c5b8c5e90 (diff)
downloadswift-2f6ab703ff580e49e15d37835fa25f414bcdcd56.zip
swift-2f6ab703ff580e49e15d37835fa25f414bcdcd56.tar.bz2
Added extra comment about OpenSSL on Mac OS X.
Change-Id: I339364406d92226203af876f558bc07686d75cbf
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContext.cpp7
1 files changed, 5 insertions, 2 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 000e987..e8a9019 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -65,9 +65,12 @@ OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readB
#elif !defined(SWIFTEN_PLATFORM_MACOSX)
SSL_CTX_load_verify_locations(context_, NULL, "/etc/ssl/certs");
#elif defined(SWIFTEN_PLATFORM_MACOSX)
- // On Mac OS X 10.8 (OpenSSL 0.9.8r), OpenSSL does not automatically look in the system store.
// On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store.
- // We therefore add all certs from the system store ourselves.
+ // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust.
+ // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add
+ // the certificates first. See
+ // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c
+ // to understand why. We therefore add all certs from the system store ourselves.
X509_STORE* store = SSL_CTX_get_cert_store(context_);
CFArrayRef anchorCertificates;
if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) {