commit 6d7861078433a7807f32359332a01479d71fc4ac
from: Oliver Lowe <o@olowe.co>
date: Mon Nov 24 01:32:23 2025 UTC

common: ignore SSL_CERT_FILE like libressl

From X509_LOOKUP_new(3):

> For reasons of security and simplicity, LibreSSL ignores the environment
> variables SSL_CERT_DIR and SSL_CERT_FILE

commit - 0b3e475621dfa6b22017095fb285c5087a1a096b
commit + 6d7861078433a7807f32359332a01479d71fc4ac
blob - 1e3e0e0bc3de23820ff52048228a7c77f7a3487d
blob + 331c2ee95d5a08f46fe9951c3f73524c2f8b1c76
--- src/common/ssl.c
+++ src/common/ssl.c
@@ -122,10 +122,6 @@ const gchar *claws_ssl_get_cert_file(void)
 		NULL};
 	int i;
 
-	/* We honor this environment variable on all platforms. */
-	if (g_getenv("SSL_CERT_FILE"))
-		return g_getenv("SSL_CERT_FILE");
-
 	for (i = 0; cert_files[i]; i++) {
 		if (is_file_exist(cert_files[i]))
 			return cert_files[i];
@@ -135,8 +131,6 @@ const gchar *claws_ssl_get_cert_file(void)
 
 const gchar *claws_ssl_get_cert_dir(void)
 {
-	if (g_getenv("SSL_CERT_DIR"))
-		return g_getenv("SSL_CERT_DIR");
 	const char *cert_dirs[]={
 		"/etc/pki/tls/certs",
 		"/etc/certs",
@@ -320,7 +314,7 @@ gboolean ssl_init_socket(SockInfo *sockinfo)
 	if (claws_ssl_get_cert_file()) {
 		r = gnutls_certificate_set_x509_trust_file(xcred, claws_ssl_get_cert_file(),  GNUTLS_X509_FMT_PEM);
 		if (r < 0)
-			g_warning("can't read SSL_CERT_FILE '%s': %s",
+			g_warning("get certificate file '%s': %s",
 				claws_ssl_get_cert_file(),
 				gnutls_strerror(r));
 	} else {
blob - 7bd2a781f41d37cd1f4392271426f4cf8295dc08
blob + 3daf7a4df9e4e454658eeda47e8c341a3d6a0bdf
--- src/common/ssl_certificate.c
+++ src/common/ssl_certificate.c
@@ -818,7 +818,7 @@ gboolean ssl_certificate_check_chain(gnutls_x509_crt_t
 		}
 
 		if (r < 0)
-			g_warning("can't read SSL_CERT_FILE '%s': %s",
+			g_warning("read certificate file '%s': %s",
 				claws_ssl_get_cert_file(),
 				gnutls_strerror(r));
 	} else {