Index: libcurl_http_fetcher.cc |
diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc |
index 9989ba266bde273075359f2fd529fe4b11493be6..1dcea9ea1b55d073b170ff6a5125b9262da77775 100644 |
--- a/libcurl_http_fetcher.cc |
+++ b/libcurl_http_fetcher.cc |
@@ -16,6 +16,7 @@ namespace chromeos_update_engine { |
namespace { |
const int kMaxRetriesCount = 20; |
+const char kCACertificatesPath[] = "/usr/share/update_engine/ca-certificates"; |
Chris Masone
2010/09/28 18:16:41
I forget...is /usr/share on the stateful partition
petkov
2010/09/28 19:17:18
/usr/share is not a special mount -- it's off of /
|
} |
LibcurlHttpFetcher::~LibcurlHttpFetcher() { |
@@ -63,11 +64,16 @@ void LibcurlHttpFetcher::ResumeTransfer(const std::string& url) { |
// By default, libcurl doesn't follow redirections. Allow up to |
// |kMaxRedirects| redirections. |
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1), |
- CURLE_OK); |
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_FOLLOWLOCATION, 1), CURLE_OK); |
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_MAXREDIRS, kMaxRedirects), |
CURLE_OK); |
+ // Makes sure that peer certificate verification is enabled and restricts the |
+ // set of trusted certificates. |
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1), CURLE_OK); |
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath), |
+ CURLE_OK); |
+ |
CHECK_EQ(curl_multi_add_handle(curl_multi_handle_, curl_handle_), CURLM_OK); |
transfer_in_progress_ = true; |
} |