Setup default certificates path (#13941)

* setup default certificates path

* change logic

* change default in stream.conf

1 files changed, 11 insertions, 20 deletions

diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 490d8727e2..f7b44049ba 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -357,31 +357,22 @@ int security_test_certificate(SSL *ssl) {
  * @return It returns 0 on success and -1 otherwise.
  */
 int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) {
-    struct stat statbuf;
-    if (stat(file, &statbuf)) {
-        info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!");
-        return 0;
-    }
-
-    ERR_clear_error();
-    u_long err;
-    char buf[256];
-    if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
-        goto slfc;
+    int load_custom = 1, load_default = 1;
+    if (file || path) {
+        if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
+            info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!");
+            load_custom = 0;
+        }
     }
 
     if(!SSL_CTX_set_default_verify_paths(ctx)) {
-        goto slfc;
+        info("Can not verify default OpenSSL configuration to validate certificates!");
+        load_default = 0;
     }
 
-    return 0;
+    if (load_custom  == 0 && load_default == 0)
+        return -1;
 
-slfc:
-    while ((err = ERR_get_error()) != 0) {
-        ERR_error_string_n(err, buf, sizeof(buf));
-        error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf);
-    }
-    return -1;
+    return 0;
 }
-
 #endif