Add bssl client option to load a hashed directory of cacerts.
Useful for debugging TLS issues on Android.
Change-Id: Ibdf9233b30e297dbab6be86a4f6b1a9eab593dbf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/39464
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/tool/client.cc b/tool/client.cc
index f4d1441..a95e04e 100644
--- a/tool/client.cc
+++ b/tool/client.cc
@@ -117,10 +117,16 @@
},
{
"-root-certs", kOptionalArgument,
- "A filename containing one of more PEM root certificates. Implies that "
+ "A filename containing one or more PEM root certificates. Implies that "
"verification is required.",
},
{
+ "-root-cert-dir", kOptionalArgument,
+ "A directory containing one or more root certificate PEM files in "
+ "OpenSSL's hashed-directory format. Implies that verification is "
+ "required.",
+ },
+ {
"-early-data", kOptionalArgument, "Enable early data. The argument to "
"this flag is the early data to send or if it starts with '@', the "
"file to read from for early data.",
@@ -500,6 +506,16 @@
SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_PEER, nullptr);
}
+ if (args_map.count("-root-cert-dir") != 0) {
+ if (!SSL_CTX_load_verify_locations(
+ ctx.get(), nullptr, args_map["-root-cert-dir"].c_str())) {
+ fprintf(stderr, "Failed to load root certificates.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+ SSL_CTX_set_verify(ctx.get(), SSL_VERIFY_PEER, nullptr);
+ }
+
if (args_map.count("-early-data") != 0) {
SSL_CTX_set_early_data_enabled(ctx.get(), 1);
}