2008-12-04 Tatsuhiro Tsujikawa <[email protected]>

	Enabled --check-certificate by default.  Added compile
	time(configure) option --with-ca-bundle to specify CA bundle.
	Warn if --check-certificate=true and --ca-certificate is not
	specified or loading CA certificate is failed.
	* configure.ac
	* src/MultiUrlRequestInfo.cc
	* src/OptionHandlerFactory.cc
	* src/message.h

ChangeLog

@@ -1,3 +1,14 @@
+2008-12-04  Tatsuhiro Tsujikawa  <[email protected]>
+
+	Enabled --check-certificate by default.  Added compile
+	time(configure) option --with-ca-bundle to specify CA bundle.
+	Warn if --check-certificate=true and --ca-certificate is not
+	specified or loading CA certificate is failed.
+	* configure.ac
+	* src/MultiUrlRequestInfo.cc
+	* src/OptionHandlerFactory.cc
+	* src/message.h
+
 2008-12-03  Tatsuhiro Tsujikawa  <[email protected]>
 
 	Mentioned https tag in help option.

Makefile.in

@@ -241,6 +241,7 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+ca_bundle = @ca_bundle@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@

configure

@@ -742,6 +742,7 @@ LIBZ_LIBS
 LIBZ_CPPFLAGS
 ENABLE_SSL_TRUE
 ENABLE_SSL_FALSE
+ca_bundle
 HAVE_LIBGNUTLS_TRUE
 HAVE_LIBGNUTLS_FALSE
 HAVE_LIBSSL_TRUE
@@ -1449,6 +1450,7 @@ Optional Packages:
   --with-libexpat         use libexpat if it is installed.
   --with-libcares         use libcares if it is installed.
   --with-libz             use libz if it is installed.
+  --with-ca-bundle=FILE   Use FILE as default CA bundle.
   --with-xml-prefix=PFX   Prefix where libxml is installed (optional)
   --with-xml-exec-prefix=PFX Exec prefix where libxml is installed (optional)
   --with-libexpat-prefix=PREFIX  Prefix where libexpat installed (optional)
@@ -2781,6 +2783,15 @@ fi
 
 
 
+
+# Check whether --with-ca-bundle was given.
+if test "${with_ca_bundle+set}" = set; then
+  withval=$with_ca_bundle; ca_bundle=$withval
+else
+  ca_bundle=""
+fi
+
+
 # Checks for programs.
 ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
@@ -7349,6 +7360,7 @@ else
   ENABLE_SSL_FALSE=
 fi
 
+
 else
    if false; then
   ENABLE_SSL_TRUE=
@@ -23057,6 +23069,7 @@ LIBZ_LIBS!$LIBZ_LIBS$ac_delim
 LIBZ_CPPFLAGS!$LIBZ_CPPFLAGS$ac_delim
 ENABLE_SSL_TRUE!$ENABLE_SSL_TRUE$ac_delim
 ENABLE_SSL_FALSE!$ENABLE_SSL_FALSE$ac_delim
+ca_bundle!$ca_bundle$ac_delim
 HAVE_LIBGNUTLS_TRUE!$HAVE_LIBGNUTLS_TRUE$ac_delim
 HAVE_LIBGNUTLS_FALSE!$HAVE_LIBGNUTLS_FALSE$ac_delim
 HAVE_LIBSSL_TRUE!$HAVE_LIBSSL_TRUE$ac_delim
@@ -23126,7 +23139,6 @@ LTLIBINTL!$LTLIBINTL$ac_delim
 POSUB!$POSUB$ac_delim
 LIBOBJS!$LIBOBJS$ac_delim
 HAVE_ASCTIME_R_TRUE!$HAVE_ASCTIME_R_TRUE$ac_delim
-HAVE_ASCTIME_R_FALSE!$HAVE_ASCTIME_R_FALSE$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -23168,6 +23180,7 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+HAVE_ASCTIME_R_FALSE!$HAVE_ASCTIME_R_FALSE$ac_delim
 HAVE_BASENAME_TRUE!$HAVE_BASENAME_TRUE$ac_delim
 HAVE_BASENAME_FALSE!$HAVE_BASENAME_FALSE$ac_delim
 HAVE_GAI_STRERROR_TRUE!$HAVE_GAI_STRERROR_TRUE$ac_delim
@@ -23187,7 +23200,7 @@ HAVE_TIMEGM_FALSE!$HAVE_TIMEGM_FALSE$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 17; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 18; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -23911,6 +23924,7 @@ echo "LIBS:           $LIBS"
 echo "SQLite3:        $have_sqlite3"
 echo "GnuTLS:         $have_libgnutls"
 echo "OpenSSL:        $have_openssl"
+echo "CA Bundle:      $ca_bundle"
 echo "LibXML2:        $have_libxml2"
 echo "LibExpat:       $have_libexpat"
 echo "LibCares:       $have_libcares"

configure.ac

@@ -36,6 +36,10 @@ ARIA2_ARG_ENABLE([bittorrent])
 ARIA2_ARG_ENABLE([metalink])
 ARIA2_ARG_ENABLE([epoll])
 
+AC_ARG_WITH([ca-bundle],
+  AC_HELP_STRING([--with-ca-bundle=FILE], [Use FILE as default CA bundle.]),
+  [ca_bundle=$withval], [ca_bundle=""])
+
 # Checks for programs.
 AC_PROG_CXX
 AC_PROG_CC
@@ -100,6 +104,7 @@ fi
 if test "x$have_libgnutls" = "xyes" || test "x$have_openssl" = "xyes"; then
   AC_DEFINE([ENABLE_SSL], [1], [Define to 1 if ssl support is enabled.])
   AM_CONDITIONAL([ENABLE_SSL], true)
+  AC_SUBST([ca_bundle])
 else
   AM_CONDITIONAL([ENABLE_SSL], false)
 fi
@@ -341,6 +346,7 @@ echo "LIBS:           $LIBS"
 echo "SQLite3:        $have_sqlite3"
 echo "GnuTLS:         $have_libgnutls"
 echo "OpenSSL:        $have_openssl"
+echo "CA Bundle:      $ca_bundle"
 echo "LibXML2:        $have_libxml2"
 echo "LibExpat:       $have_libexpat"
 echo "LibCares:       $have_libcares"

doc/Makefile.in

@@ -215,6 +215,7 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+ca_bundle = @ca_bundle@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@

lib/Makefile.in

@@ -201,6 +201,7 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+ca_bundle = @ca_bundle@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@

m4/Makefile.in

@@ -201,6 +201,7 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+ca_bundle = @ca_bundle@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@

src/Makefile.am

@@ -494,4 +494,4 @@ AM_CPPFLAGS =  -Wall\
 	@LIBGNUTLS_CFLAGS@ @LIBGCRYPT_CFLAGS@ @OPENSSL_CFLAGS@ @XML_CPPFLAGS@\
 	@LIBCARES_CPPFLAGS@ @LIBEXPAT_CPPFLAGS@\
 	@LIBZ_CPPFLAGS@	 @SQLITE3_CPPFLAGS@\
-	-DLOCALEDIR=\"$(localedir)\" @DEFS@ #-pg
+	-DLOCALEDIR=\"$(localedir)\" -DCA_BUNDLE=\"$(ca_bundle)\" @DEFS@ #-pg

src/Makefile.in

@@ -984,6 +984,7 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+ca_bundle = @ca_bundle@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@
@@ -1163,7 +1164,7 @@ AM_CPPFLAGS = -Wall\
 	@LIBGNUTLS_CFLAGS@ @LIBGCRYPT_CFLAGS@ @OPENSSL_CFLAGS@ @XML_CPPFLAGS@\
 	@LIBCARES_CPPFLAGS@ @LIBEXPAT_CPPFLAGS@\
 	@LIBZ_CPPFLAGS@	 @SQLITE3_CPPFLAGS@\
-	-DLOCALEDIR=\"$(localedir)\" @DEFS@ #-pg
+	-DLOCALEDIR=\"$(localedir)\" -DCA_BUNDLE=\"$(ca_bundle)\" @DEFS@ #-pg
 
 all: all-am
 

src/MultiUrlRequestInfo.cc

@@ -144,8 +144,16 @@ int MultiUrlRequestInfo::execute()
 				   _option->get(PREF_PRIVATE_KEY));
     }
     if(_option->defined(PREF_CA_CERTIFICATE)) {
-      tlsContext->addTrustedCACertFile(_option->get(PREF_CA_CERTIFICATE));
+      try {
+	tlsContext->addTrustedCACertFile(_option->get(PREF_CA_CERTIFICATE));
+      } catch(RecoverableException& e) {
+	_logger->error(EX_EXCEPTION_CAUGHT, e);
+	_logger->warn(MSG_WARN_NO_CA_CERT);
+      }
+    } else if(_option->getAsBool(PREF_CHECK_CERTIFICATE)) {
+      _logger->warn(MSG_WARN_NO_CA_CERT);
     }
+
     if(_option->getAsBool(PREF_CHECK_CERTIFICATE)) {
       tlsContext->enablePeerVerification();
     }

src/OptionHandlerFactory.cc

@@ -432,7 +432,8 @@ OptionHandlers OptionHandlerFactory::createOptionHandlers()
   {
     SharedHandle<OptionHandler> op(new DefaultOptionHandler
 				   (PREF_CA_CERTIFICATE,
-				    TEXT_CA_CERTIFICATE));
+				    TEXT_CA_CERTIFICATE,
+				    CA_BUNDLE));
     op->addTag(TAG_HTTP);
     op->addTag(TAG_HTTPS);
     handlers.push_back(op);
@@ -449,7 +450,7 @@ OptionHandlers OptionHandlerFactory::createOptionHandlers()
     SharedHandle<OptionHandler> op(new BooleanOptionHandler
 				   (PREF_CHECK_CERTIFICATE,
 				    TEXT_CHECK_CERTIFICATE,
-				    V_FALSE));
+				    V_TRUE));
     op->addTag(TAG_HTTP);
     op->addTag(TAG_HTTPS);
     handlers.push_back(op);

src/message.h

@@ -164,6 +164,9 @@
 #define MSG_NO_CERT_FOUND _("No certificate found.")
 #define MSG_HOSTNAME_NOT_MATCH _("Hostname not match.")
 #define MSG_NO_FILES_TO_DOWNLOAD _("No files to download.")
+#define MSG_WARN_NO_CA_CERT \
+  _("You may encounter the certificate verification error with HTTPS server."\
+    " See --ca-certificate and --check-certificate option.")
 
 #define EX_TIME_OUT _("Timeout.")
 #define EX_INVALID_CHUNK_SIZE _("Invalid chunk size.")

test/Makefile.in

@@ -531,6 +531,7 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+ca_bundle = @ca_bundle@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@