Use system-wide certificates for SSL

Use system-wide certificates for SSL.  For GnuTLS it requires the
latest version, 3.0.20. OpenSSL had it for longer.  This means that if
SSL library is properly configured to locate system-wide certificates
store, the user don't have to use --ca-certificate option. Also
packagers don't have to use --with-ca-bundle configure option.

Patch from Cristian Morales Vega

configure.ac

@@ -153,6 +153,7 @@ if test "x$with_gnutls" = "xyes"; then
     AC_DEFINE([HAVE_LIBGNUTLS], [1], [Define to 1 if you have libgnutls.])
     LIBS="$LIBGNUTLS_LIBS $LIBS"
     CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS"
+    AC_CHECK_FUNCS([gnutls_certificate_set_x509_system_trust])
   else
     AC_MSG_WARN([$LIBGNUTLS_PKG_ERRORS])
     if test "x$with_gnutls_requested" = "xyes"; then

src/LibgnutlsTLSContext.cc

@@ -99,6 +99,23 @@ bool TLSContext::addClientKeyFile(const std::string& certfile,
   }
 }
 
+bool TLSContext::addSystemTrustedCACerts()
+{
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST
+  int ret = gnutls_certificate_set_x509_system_trust(certCred_);
+  if(ret < 0) {
+    A2_LOG_ERROR(fmt(MSG_LOADING_SYSTEM_TRUSTED_CA_CERTS_FAILED,
+                     gnutls_strerror(ret)));
+    return false;
+  } else {
+    A2_LOG_INFO(fmt("%d certificate(s) were imported.", ret));
+    return true;
+  }
+#else
+  return false;
+#endif
+}
+
 bool TLSContext::addTrustedCACertFile(const std::string& certfile)
 {
   int ret = gnutls_certificate_set_x509_trust_file(certCred_,

src/LibgnutlsTLSContext.h

@@ -61,6 +61,8 @@ public:
   bool addClientKeyFile(const std::string& certfile,
                         const std::string& keyfile);
 
+  bool addSystemTrustedCACerts();
+
   // certfile can contain multiple certificates.
   bool addTrustedCACertFile(const std::string& certfile);
 

src/LibsslTLSContext.cc

@@ -102,6 +102,18 @@ bool TLSContext::addClientKeyFile(const std::string& certfile,
   return true;
 }
 
+bool TLSContext::addSystemTrustedCACerts()
+{
+  if(SSL_CTX_set_default_verify_paths(sslCtx_) != 1) {
+    A2_LOG_ERROR(fmt(MSG_LOADING_SYSTEM_TRUSTED_CA_CERTS_FAILED,
+                     ERR_error_string(ERR_get_error(), 0)));
+    return false;
+  } else {
+    A2_LOG_INFO("System trusted CA certificates were successfully added.");
+    return true;
+  }
+}
+
 bool TLSContext::addTrustedCACertFile(const std::string& certfile)
 {
   if(SSL_CTX_load_verify_locations(sslCtx_, certfile.c_str(), 0) != 1) {

src/LibsslTLSContext.h

@@ -61,6 +61,8 @@ public:
   bool addClientKeyFile(const std::string& certfile,
                         const std::string& keyfile);
 
+  bool addSystemTrustedCACerts();
+
   // certfile can contain multiple certificates.
   bool addTrustedCACertFile(const std::string& certfile);
 

src/MultiUrlRequestInfo.cc

@@ -179,12 +179,15 @@ error_code::Value MultiUrlRequestInfo::execute()
       tlsContext->addClientKeyFile(option_->get(PREF_CERTIFICATE),
                                    option_->get(PREF_PRIVATE_KEY));
     }
+
     if(!option_->blank(PREF_CA_CERTIFICATE)) {
       if(!tlsContext->addTrustedCACertFile(option_->get(PREF_CA_CERTIFICATE))) {
         A2_LOG_INFO(MSG_WARN_NO_CA_CERT);
       }
     } else if(option_->getAsBool(PREF_CHECK_CERTIFICATE)) {
-      A2_LOG_INFO(MSG_WARN_NO_CA_CERT);
+      if(!tlsContext->addSystemTrustedCACerts()) {
+        A2_LOG_INFO(MSG_WARN_NO_CA_CERT);
+      }
     }
     if(option_->getAsBool(PREF_CHECK_CERTIFICATE)) {
       tlsContext->enablePeerVerification();

src/message.h

@@ -169,6 +169,8 @@
 #define MSG_ESTABLISHING_CONNECTION_FAILED              \
   _("Failed to establish connection, cause: %s")
 #define MSG_NETWORK_PROBLEM _("Network problem has occurred. cause:%s")
+#define MSG_LOADING_SYSTEM_TRUSTED_CA_CERTS_FAILED                              \
+  _("Failed to load trusted CA certificates from system. Cause: %s")
 #define MSG_LOADING_TRUSTED_CA_CERT_FAILED                              \
   _("Failed to load trusted CA certificates from %s. Cause: %s")
 #define MSG_CERT_VERIFICATION_FAILED                    \