Fix #393: defer setting GnuTLS CA trust to ssl_open()

As mentioned in #391, setting the CA trust for the OpenSSL backend is
deferred to ssl_open().  This patch defers the GnuTLS CA init in a
similar fashion, allowing a custom user-defined trust file to be set
also when using the GnuTLS backend.

Verified manually with the FreeDNS plugin and three different CA files:

 - /etc/ssl/certs/ca-certificates.crt (everything works, CAFILE1)
 - /etc/ssl/certs/UCA_Global_G2_Root.pem (validation fails, expected)
 - /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt (works)

Signed-off-by: Joachim Wiberg <[email protected]>

src/gnutls.c

@@ -124,6 +124,7 @@ static int ssl_set_ca_location(void)
 
 	/* A user defined CA PEM bundle overrides any built-ins or fall-backs */
 	if (ca_trust_file) {
+		logit(LOG_DEBUG, "Using CA PEM bundle: %s", ca_trust_file);
 		num = gnutls_certificate_set_x509_trust_file(xcred, ca_trust_file, GNUTLS_X509_FMT_PEM);
 		goto done;
 	}
@@ -154,11 +155,6 @@ int ssl_init(void)
 
 	/* X509 stuff */
 	gnutls_certificate_allocate_credentials(&xcred);
-
-	/* Try to figure out location of trusted CA certs on system */
-	if (ssl_set_ca_location())
-		return RC_HTTPS_NO_TRUSTED_CA_STORE;
-
 	gnutls_certificate_set_verify_function(xcred, verify_certificate_callback);
 
 	return 0;
@@ -200,6 +196,10 @@ int ssl_open(http_t *client, char *msg)
 	if (!client->ssl_enabled)
 		return tcp_init(&client->tcp, msg);
 
+	/* Try to figure out location of trusted CA certs on system */
+	if (ssl_set_ca_location())
+		return RC_HTTPS_NO_TRUSTED_CA_STORE;
+
 	/* Initialize TLS session */
 	logit(LOG_INFO, "%s, initiating HTTPS ...", msg);
 	gnutls_init(&client->ssl, GNUTLS_CLIENT);