From 2f6ab703ff580e49e15d37835fa25f414bcdcd56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Remko=20Tron=C3=A7on?= Date: Sat, 13 Oct 2012 10:55:05 +0200 Subject: Added extra comment about OpenSSL on Mac OS X. Change-Id: I339364406d92226203af876f558bc07686d75cbf diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 000e987..e8a9019 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -65,9 +65,12 @@ OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readB #elif !defined(SWIFTEN_PLATFORM_MACOSX) SSL_CTX_load_verify_locations(context_, NULL, "/etc/ssl/certs"); #elif defined(SWIFTEN_PLATFORM_MACOSX) - // On Mac OS X 10.8 (OpenSSL 0.9.8r), OpenSSL does not automatically look in the system store. // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store. - // We therefore add all certs from the system store ourselves. + // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust. + // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add + // the certificates first. See + // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c + // to understand why. We therefore add all certs from the system store ourselves. X509_STORE* store = SSL_CTX_get_cert_store(context_); CFArrayRef anchorCertificates; if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) { -- cgit v0.10.2-6-g49f6