Check and load ca path (#2885)

Co-authored-by: Heran Yang <[email protected]>
haiwen · Feb 8, 2025 · 9d6359c · 9d6359c
1 parent 4d9fc62
commit 9d6359c
Showing 1 changed file with 43 additions and 6 deletions.
diff --git a/daemon/http-tx-mgr.c b/daemon/http-tx-mgr.c
@@ -97,6 +97,7 @@ struct _HttpTxPriv {
     SeafTimer *reset_bytes_timer;
 
     char *ca_bundle_path;
+    char *env_ca_bundle_path;
 
     /* Regex to parse error message returned by update-branch. */
     GRegex *locked_error_regex;
@@ -283,6 +284,7 @@ http_tx_manager_new (struct _SeafileSession *seaf)
 {
     HttpTxManager *mgr = g_new0 (HttpTxManager, 1);
     HttpTxPriv *priv = g_new0 (HttpTxPriv, 1);
+    const char *env_ca_path = NULL;
 
     mgr->seaf = seaf;
 
@@ -298,6 +300,10 @@ http_tx_manager_new (struct _SeafileSession *seaf)
 
     priv->ca_bundle_path = g_build_filename (seaf->seaf_dir, "ca-bundle.pem", NULL);
 
+    env_ca_path = g_getenv("SEAFILE_SSL_CA_PATH");
+    if (env_ca_path)
+        priv->env_ca_bundle_path = g_strdup (env_ca_path);
+
     GError *error = NULL;
     priv->locked_error_regex = g_regex_new (LOCKED_ERROR_PATTERN, 0, 0, &error);
     if (error) {
@@ -511,6 +517,43 @@ load_ca_bundle (CURL *curl)
 
     curl_easy_setopt (curl, CURLOPT_CAINFO, ca_bundle_path);
 }
+#else
+
+char *ca_paths[] = {
+    "/etc/ssl/certs/ca-certificates.crt",
+    "/etc/ssl/certs/ca-bundle.crt",
+    "/etc/pki/tls/certs/ca-bundle.crt",
+    "/usr/share/ssl/certs/ca-bundle.crt",
+    "/usr/local/share/certs/ca-root-nss.crt",
+    "/etc/ssl/cert.pem",
+};
+
+static void
+load_ca_bundle(CURL *curl)
+{
+    const char *env_ca_path = seaf->http_tx_mgr->priv->env_ca_bundle_path;
+    int i;
+    const char *ca_path;
+    gboolean found = FALSE;
+
+    for (i = 0; i < sizeof(ca_paths) / sizeof(ca_paths[0]); i++) {
+        ca_path = ca_paths[i];
+        if (seaf_util_exists (ca_path)) {
+            found = TRUE;
+            break;
+        }
+    }
+
+    if (env_ca_path) {
+        if (seaf_util_exists (env_ca_path)) {
+            curl_easy_setopt (curl, CURLOPT_CAINFO, env_ca_path);
+            return;
+        }
+    }
+
+    if (found)
+        curl_easy_setopt (curl, CURLOPT_CAINFO, ca_path);
+}
 #endif  /* __linux__ */
 
 static gboolean
@@ -779,10 +822,8 @@ http_get (CURL *curl, const char *url, const char *token,
     curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
 
 #ifndef USE_GPL_CRYPTO
-#if defined WIN32 || defined __APPLE__
     load_ca_bundle (curl);
 #endif
-#endif
 
 #ifndef USE_GPL_CRYPTO
     if (!seaf->disable_verify_certificate) {
@@ -928,10 +969,8 @@ http_put (CURL *curl, const char *url, const char *token,
     curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
 
 #ifndef USE_GPL_CRYPTO
-#if defined WIN32 || defined __APPLE__
     load_ca_bundle (curl);
 #endif
-#endif
 
 #ifndef USE_GPL_CRYPTO
     if (!seaf->disable_verify_certificate) {
@@ -1040,10 +1079,8 @@ http_post (CURL *curl, const char *url, const char *token,
     }
 
 #ifndef USE_GPL_CRYPTO
-#if defined WIN32 || defined __APPLE__
     load_ca_bundle (curl);
 #endif
-#endif
 
 #ifndef USE_GPL_CRYPTO
     if (!seaf->disable_verify_certificate) {