diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index 9cd7220b2..0d28a5edf 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -49,8 +49,6 @@ struct tls { bool verify_client; /**< Enable SIP TLS client verification */ struct session_reuse reuse; struct list certs; /**< Certificates for SNI selection */ - char *capath; - char *cafile; }; /** @@ -129,8 +127,6 @@ static void destructor(void *data) hash_flush(tls->reuse.ht_sessions); mem_deref(tls->reuse.ht_sessions); mem_deref(tls->pass); - mem_deref(tls->capath); - mem_deref(tls->cafile); list_flush(&tls->certs); } @@ -380,12 +376,6 @@ int tls_add_cafile_path(struct tls *tls, const char *cafile, return ENOTDIR; } - tls->cafile = mem_deref(tls->cafile); - tls->capath = mem_deref(tls->capath); - - str_dup(&tls->cafile, cafile); - str_dup(&tls->capath, capath); - /* Load the CAs we trust */ if (!(SSL_CTX_load_verify_locations(tls->ctx, cafile, capath))) { @@ -2006,12 +1996,9 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host) if (err) goto err; - /* Load the CAs we trust */ - if (!(SSL_CTX_load_verify_locations(uc->ctx, tls->cafile, - tls->capath))) { - err = ENOENT; - goto err; - } + X509_STORE *ca = SSL_CTX_get_cert_store(tls->ctx); + X509_STORE_up_ref(ca); + SSL_CTX_set_cert_store(uc->ctx, ca); list_append(&tls->certs, &uc->le, uc); if (list_count(&tls->certs) == 1)