final SSL changes [backport:1.2] (#16983)

nim-lang · Feb 9, 2021 · 74d6a4d · 74d6a4d
1 parent ceab5e4
commit 74d6a4d
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/changelog.md b/changelog.md
@@ -4,6 +4,13 @@
 
 ## Standard library additions and changes
 
+- On Windows the SSL library now checks for valid certificates.
+  It uses the `cacert.pem` file for this purpose which was extracted
+  from `https://curl.se/ca/cacert.pem`. Besides
+  the OpenSSL DLLs (e.g. libssl-1_1-x64.dll, libcrypto-1_1-x64.dll) you
+  now also need to ship `cacert.pem` with your `.exe` file.
+
+
 - Make `{.requiresInit.}` pragma to work for `distinct` types.
 
 - Added a macros `enumLen` for returning the number of items in an enum to the

diff --git a/lib/pure/net.nim b/lib/pure/net.nim
@@ -24,6 +24,17 @@
 ## `newContext<net.html#newContext%2Cstring%2Cstring%2Cstring%2Cstring>`_
 ## procedure for additional details.
 ##
+##
+## SSL on Windows
+## ==============
+##
+## On Windows the SSL library checks for valid certificates.
+## It uses the `cacert.pem` file for this purpose which was extracted
+## from `https://curl.se/ca/cacert.pem`. Besides
+## the OpenSSL DLLs (e.g. libssl-1_1-x64.dll, libcrypto-1_1-x64.dll) you
+## also need to ship `cacert.pem` with your `.exe` file.
+##
+##
 ## Examples
 ## ========
 ##

diff --git a/lib/pure/ssl_certs.nim b/lib/pure/ssl_certs.nim
@@ -107,14 +107,18 @@ iterator scanSSLCertificates*(useEnvVars = false): string =
 
   else:
     when defined(windows):
-      let pem = getAppDir() / "cacert.pem"
-      # We download the certificates according to https://curl.se/docs/caextract.html
-      # These are the certificates from Firefox. The 'bitsadmin.exe' tool ships with every
-      # recent version of Windows (Windows 8, Windows XP, etc.)
-      if not fileExists(pem):
-        discard os.execShellCmd("""bitsadmin.exe /rawreturn /transfer "JobName" /priority FOREGROUND https://curl.se/ca/cacert.pem """ &
-          quoteShell(pem))
-      yield pem
+      const cacert = "cacert.pem"
+      let pem = getAppDir() / cacert
+      if fileExists(pem):
+        yield pem
+      else:
+        let path = getEnv("PATH")
+        for candidate in split(path, PathSep):
+          if candidate.len != 0:
+            let x = (if candidate[0] == '"' and candidate[^1] == '"':
+                      substr(candidate, 1, candidate.len-2) else: candidate) / cacert
+            if fileExists(x):
+              yield x
     elif not defined(haiku):
       for p in certificatePaths:
         if p.endsWith(".pem") or p.endsWith(".crt"):