From b1f3961447dfccdf6d2545d9f8966c796bebaf9f Mon Sep 17 00:00:00 2001
From: Sebastian Reimers <hallo@studio-link.de>
Date: Wed, 5 Jun 2024 08:41:16 +0200
Subject: [PATCH] refactor cert_store verify

---
 src/tls/openssl/tls.c | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
index 9cd7220b2..0d28a5edf 100644
--- a/src/tls/openssl/tls.c
+++ b/src/tls/openssl/tls.c
@@ -49,8 +49,6 @@ struct tls {
 	bool verify_client;  /**< Enable SIP TLS client verification   */
 	struct session_reuse reuse;
 	struct list certs;   /**< Certificates for SNI selection       */
-	char *capath;
-	char *cafile;
 };
 
 /**
@@ -129,8 +127,6 @@ static void destructor(void *data)
 	hash_flush(tls->reuse.ht_sessions);
 	mem_deref(tls->reuse.ht_sessions);
 	mem_deref(tls->pass);
-	mem_deref(tls->capath);
-	mem_deref(tls->cafile);
 	list_flush(&tls->certs);
 }
 
@@ -380,12 +376,6 @@ int tls_add_cafile_path(struct tls *tls, const char *cafile,
 		return ENOTDIR;
 	}
 
-	tls->cafile = mem_deref(tls->cafile);
-	tls->capath = mem_deref(tls->capath);
-
-	str_dup(&tls->cafile, cafile);
-	str_dup(&tls->capath, capath);
-
 	/* Load the CAs we trust */
 	if (!(SSL_CTX_load_verify_locations(tls->ctx, cafile, capath))) {
 
@@ -2006,12 +1996,9 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host)
 	if (err)
 		goto err;
 
-	/* Load the CAs we trust */
-	if (!(SSL_CTX_load_verify_locations(uc->ctx, tls->cafile,
-					    tls->capath))) {
-		err = ENOENT;
-		goto err;
-	}
+	X509_STORE *ca = SSL_CTX_get_cert_store(tls->ctx);
+	X509_STORE_up_ref(ca);
+	SSL_CTX_set_cert_store(uc->ctx, ca);
 
 	list_append(&tls->certs, &uc->le, uc);
 	if (list_count(&tls->certs) == 1)