Related: tdf#157480 use SSL_CERT_FILE on macOS too

for SSL use by pyuno emailmerge

another alternative mechanism that could work is to generate one
with something like: "security find-certificate -a -p > cert.pem"
ref: https: //hynek.me/articles/apple-openssl-verification-surprises/

Change-Id: I8bff2ca5bbbb4f2c2333a67e0281dd4fa0b06405
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165625
Reviewed-by: Patrick Luby <guibomacdev@gmail.com>
Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>

3 files changed, 9 insertions, 6 deletions

diff --git a/include/systools/curlinit.hxx b/include/systools/curlinit.hxx
index d03c620a3c75..4b226c7a4218 100644
--- a/include/systools/curlinit.hxx
+++ b/include/systools/curlinit.hxx
@@ -13,12 +13,13 @@
 
 #include <officecfg/Office/Security.hxx>
 
-#if defined(LINUX) && !defined(SYSTEM_CURL)
+// curl is built with --with-secure-transport on macOS and iOS so doesn't need these
+// certs. Windows doesn't need them either, but lets assume everything else does
+#if !defined(SYSTEM_OPENSSL) && !defined(_WIN32) && !defined(MACOSX) && !defined(IOS)
 #include <com/sun/star/uno/RuntimeException.hpp>
 
 #define LO_CURL_NEEDS_CA_BUNDLE
 #include "opensslinit.hxx"
-#undef LO_CURL_NEEDS_CA_BUNDLE
 #endif
 
 #include <rtl/string.hxx>
@@ -31,7 +32,7 @@ static void InitCurl_easy(CURL* const pCURL)
     CURLcode rc;
     (void)rc;
 
-#if defined(LINUX) && !defined(SYSTEM_CURL)
+#if defined(LO_CURL_NEEDS_CA_BUNDLE)
     char const* const path = GetCABundleFile();
     rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
     if (rc != CURLE_OK) // only if OOM?
@@ -79,4 +80,6 @@ static void InitCurl_easy(CURL* const pCURL)
     assert(rc == CURLE_OK);
 }
 
+#undef LO_CURL_NEEDS_CA_BUNDLE
+
 /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
diff --git a/include/systools/opensslinit.hxx b/include/systools/opensslinit.hxx
index 04f38faa0821..48b38cf67512 100644
--- a/include/systools/opensslinit.hxx
+++ b/include/systools/opensslinit.hxx
@@ -13,8 +13,7 @@
 
 // Also include/systools/curlinit.hxx needs GetCABundleFile() if
 // !defined(SYSTEM_CURL) it defines LO_CURL_NEEDS_CA_BUNDLE.
-#if defined(LINUX) && (!defined(SYSTEM_OPENSSL) || defined(LO_CURL_NEEDS_CA_BUNDLE))
-#include <com/sun/star/uno/RuntimeException.hpp>
+#if !defined(_WIN32) && (!defined(SYSTEM_OPENSSL) || defined(LO_CURL_NEEDS_CA_BUNDLE))
 
 #include <unistd.h>
 
@@ -27,6 +26,7 @@ static char const* GetCABundleFile()
         "/etc/pki/tls/certs/ca-bundle.trust.crt",
         "/etc/ssl/certs/ca-certificates.crt",
         "/var/lib/ca-certificates/ca-bundle.pem",
+        "/etc/ssl/cert.pem", // macOS has one at this location
     };
     for (char const* const candidate : candidates)
     {
diff --git a/vcl/source/app/svmain.cxx b/vcl/source/app/svmain.cxx
index 3aa2cecf4ec8..9eb99f09e320 100644
--- a/vcl/source/app/svmain.cxx
+++ b/vcl/source/app/svmain.cxx
@@ -194,7 +194,7 @@ int ImplSVMain()
 
     const bool bWasInitVCL = IsVCLInit();
 
-#if defined(LINUX) && !defined(SYSTEM_OPENSSL)
+#if !defined(_WIN32) && !defined(SYSTEM_OPENSSL)
     if (!bWasInitVCL)
     {
         OUString constexpr name(u"SSL_CERT_FILE"_ustr);