# HG changeset patch # User Alain Mazy # Date 1736165828 -3600 # Node ID 089b8e5158d1c1b806ea8f2325489585f8ed0e55 # Parent cc6027cbd8f14812be34e739ae5084b086657819 empty HttpsCACertificates is now equivalent to --ca-native curl option diff -r cc6027cbd8f1 -r 089b8e5158d1 NEWS --- a/NEWS Thu Dec 26 13:18:12 2024 +0100 +++ b/NEWS Mon Jan 06 13:17:08 2025 +0100 @@ -1,6 +1,13 @@ Pending changes in the mainline =============================== +Maintenance +----------- + +* When the "HttpsCACertificates" configuration is empty. Orthanc will now use the + operating system native CA store (if any). This is equivalent to the --ca-native + curl option. + Version 1.12.5 (2024-12-17) =========================== diff -r cc6027cbd8f1 -r 089b8e5158d1 OrthancFramework/Sources/HttpClient.cpp --- a/OrthancFramework/Sources/HttpClient.cpp Thu Dec 26 13:18:12 2024 +0100 +++ b/OrthancFramework/Sources/HttpClient.cpp Mon Jan 06 13:17:08 2025 +0100 @@ -860,7 +860,15 @@ if (verifyPeers_) { - CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, caCertificates_.c_str())); + if (caCertificates_.empty()) // use native CA store (equivalent to --ca-native) + { + CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA)); + } + else // use provided CA file (equivalent to --cacert) + { + CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_CAINFO, caCertificates_.c_str())); + } + CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYHOST, 2)); // libcurl default is strict verifyhost CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSL_VERIFYPEER, 1)); } @@ -1187,8 +1195,8 @@ { if (httpsVerifyCertificates.empty()) { - LOG(WARNING) << "No certificates are provided to validate peers, " - << "set \"HttpsCACertificates\" if you need to do HTTPS requests"; + LOG(WARNING) << "No certificates are provided to validate peers. Orthanc will use the native CA store. " + << "Set \"HttpsCACertificates\" if you need to do HTTPS requests and use custom CAs."; } else { diff -r cc6027cbd8f1 -r 089b8e5158d1 OrthancServer/Resources/Configuration.json --- a/OrthancServer/Resources/Configuration.json Thu Dec 26 13:18:12 2024 +0100 +++ b/OrthancServer/Resources/Configuration.json Mon Jan 06 13:17:08 2025 +0100 @@ -572,10 +572,10 @@ // Set the timeout for HTTP requests issued by Orthanc (in seconds). "HttpTimeout" : 60, - // Enable the verification of the peers during HTTPS requests. This - // option must be set to "false" if using self-signed certificates. - // Pay attention that setting this option to "false" results in - // security risks! + // Enable the verification of the peers certificates during HTTPS + // requests. Setting this option to false is equivalent to the + // "--insecure" curl option. Pay attention that setting this option + // to "false" results in security risks! // Reference: http://curl.haxx.se/docs/sslcerts.html "HttpsVerifyPeers" : true, @@ -585,7 +585,10 @@ // verify the peers. The file may contain multiple CA // certificates. The certificate(s) must be in PEM format." On // Debian-based systems, this option can be set to - // "/etc/ssl/certs/ca-certificates.crt" + // "/etc/ssl/certs/ca-certificates.crt". + // Starting with Orthanc 1.12.6, when this option is empty, + // Orthanc uses the operating system native CA store ("--ca-native" + // option) "HttpsCACertificates" : "", diff -r cc6027cbd8f1 -r 089b8e5158d1 OrthancServer/Sources/main.cpp --- a/OrthancServer/Sources/main.cpp Thu Dec 26 13:18:12 2024 +0100 +++ b/OrthancServer/Sources/main.cpp Mon Jan 06 13:17:08 2025 +0100 @@ -1526,9 +1526,15 @@ // These configuration options must be set before creating the // ServerContext, otherwise the possible Lua scripts will not be // able to properly issue HTTP/HTTPS queries + + std::string httpsCaCertificates = lock.GetConfiguration().GetStringParameter("HttpsCACertificates", ""); + if (!httpsCaCertificates.empty()) + { + httpsCaCertificates = lock.GetConfiguration().InterpretStringParameterAsPath(httpsCaCertificates); + } + HttpClient::ConfigureSsl(lock.GetConfiguration().GetBooleanParameter("HttpsVerifyPeers", true), - lock.GetConfiguration().InterpretStringParameterAsPath - (lock.GetConfiguration().GetStringParameter("HttpsCACertificates", ""))); + httpsCaCertificates); HttpClient::SetDefaultVerbose(lock.GetConfiguration().GetBooleanParameter("HttpVerbose", false)); // The value "0" below makes the class HttpClient use its default