Use CA configuration from NetworkOptions (#53)

* Use CA configuration from NetworkOptions

This patch uses CA configuration from NetworkOptions instead of
directly using the certificates from MozillaCACerts_jll. The benefits
are:
 - On Linux machines this will use system configured certificates which
   are typically kept up to date using the package manager or similar.
 - The default can be overwridden using environment variables (see
   NetworkOptions README).

Fixes #37, fixes JuliaWeb/HTTP.jl#1239.

* Set version to 1.6.0.

Author: fredrikekre

Project.toml

@@ -1,12 +1,13 @@
 name = "OpenSSL"
 uuid = "4d8831e6-92b7-49fb-bdf8-b643e874388c"
-version = "1.5.0"
+version = "1.6.0"
 authors = ["Greg Lapinski <[email protected]>", "Jacob Quinn <[email protected]>"]
 
 [deps]
 BitFlags = "d1d4a3ce-64b1-5f1a-9ba4-7e7e69966f35"
 Dates = "ade2ca70-3891-5945-98fb-dc099432e06a"
 MozillaCACerts_jll = "14a3606d-f60d-562e-9121-12d972cd8159"
+NetworkOptions = "ca575930-c2e3-43a9-ace4-1e988b2c1908"
 OpenSSL_jll = "458c3c95-2e84-50aa-8efc-19380b2a3a95"
 Sockets = "6462fe0b-24de-5631-8697-dd941f90decc"
 

src/OpenSSL.jl

@@ -5,6 +5,7 @@ using Dates
 using OpenSSL_jll
 using Sockets
 using MozillaCACerts_jll
+using NetworkOptions: NetworkOptions
 
 """
     [x] Encryption, decryption

src/ssl.jl

@@ -127,14 +127,21 @@ end
 
 const SSL_MODE_AUTO_RETRY = 0x00000004
 
+# Use NetworkOptions for default CA file so that it can be configured using the standard
+# environment variables (JULIA_SSL_CA_ROOTS_PATH, SSL_CERT_DIR, and SSL_CERT_FILE).
+# TODO: On Windows and macOS `ca_roots` return `nothing` to indicate that system configured
+#       certificates should be preferred but for now we fall back to the certificate from
+#       MozillaCACerts_jll.
+default_cacert() = something(NetworkOptions.ca_roots(), MozillaCACerts_jll.cacert)
+
 """
     This is the global context structure which is created by a server or client once per program life-time
     and which holds mainly default values for the SSL structures which are later created for the connections.
 """
 mutable struct SSLContext
     ssl_ctx::Ptr{Cvoid}
 
-    function SSLContext(ssl_method::SSLMethod, verify_file::String=MozillaCACerts_jll.cacert)
+    function SSLContext(ssl_method::SSLMethod, verify_file::String = default_cacert())
         ssl_ctx = ccall(
             (:SSL_CTX_new, libssl),
             Ptr{Cvoid},
@@ -154,13 +161,8 @@ mutable struct SSLContext
             (SSLContext, Cint, Clong, Ptr{Cvoid}),
             ssl_context, 33, SSL_MODE_AUTO_RETRY, C_NULL)
         if !isempty(verify_file)
-            @assert ccall(
-                (:SSL_CTX_load_verify_locations, libssl),
-                Cint,
-                (SSLContext, Ptr{Cchar}, Ptr{Cchar}),
-                ssl_context,
-                verify_file,
-                C_NULL) == 1
+            ret = ca_chain!(ssl_context, verify_file)
+            @assert ret == 1
         end
 
         return ssl_context