Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem by default for its trust certificate store (to verify the certificates used during SPICE TLS connections). However, these days, progress is under-way to have a system-wide certificate store [1]. In order to use it, we only need to call SSL_CTX_set_default_verify_paths() and it will automatically use the shared system CA store if the distro is properly setup. We only try to use that store if there was no user-provided CA file to use, or if we failed to load it. [1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates --- gtk/spice-channel.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index d122920..035cb98 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -2154,6 +2154,7 @@ static int spice_channel_load_ca(SpiceChannel *channel) guint8 *ca; guint size; const gchar *ca_file; + int rc; g_return_val_if_fail(c->ctx != NULL, 0); @@ -2185,13 +2186,21 @@ static int spice_channel_load_ca(SpiceChannel *channel) } if (ca_file != NULL) { - int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL); + rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL); if (rc != 1) g_warning("loading ca certs from %s failed", ca_file); else count++; } + if (count == 0) { + rc = SSL_CTX_set_default_verify_paths(c->ctx); + if (rc != 1) + g_warning("loading ca certs from default location failed"); + else + count++; + } + return count; } -- 1.8.4.2 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel