Introduce option 'ca_file'

The option is supposed to be used as a fallback for certificates
validation. For instance, the option will be used if 's2s_cafile'
option is not set. The value should be a path to a file containing
CA certificate(s) in PEM format, e.g.:

ca_file: "/etc/ssl/certs/ca-bundle.pem"

1 files changed, 11 insertions, 3 deletions

diff --git a/src/ejabberd_s2s.erl b/src/ejabberd_s2s.erl
index 1e389d712..67f242122 100644
--- a/src/ejabberd_s2s.erl
+++ b/src/ejabberd_s2s.erl
@@ -222,8 +222,7 @@ tls_options(LServer, DefaultOpts) ->
                    DHFile -> lists:keystore(dhfile, 1, TLSOpts3,
 					    {dhfile, DHFile})
                end,
-    TLSOpts5 = case ejabberd_config:get_option(
-		      {s2s_cafile, LServer}) of
+    TLSOpts5 = case get_cafile(LServer) of
 		   undefined -> TLSOpts4;
 		   CAFile -> lists:keystore(cafile, 1, TLSOpts4,
 					    {cafile, CAFile})
@@ -267,7 +266,7 @@ queue_type(LServer) ->
       {s2s_queue_type, LServer},
       ejabberd_config:default_queue_type(LServer)).
 
--spec get_certfile(binary()) -> file:filename_all().
+-spec get_certfile(binary()) -> file:filename_all() | undefined.
 get_certfile(LServer) ->
     case ejabberd_pkix:get_certfile(LServer) of
 	{ok, CertFile} ->
@@ -278,6 +277,15 @@ get_certfile(LServer) ->
 	      ejabberd_config:get_option({s2s_certfile, LServer}))
     end.
 
+-spec get_cafile(binary()) -> file:filename_all() | undefined.
+get_cafile(LServer) ->
+    case ejabberd_config:get_option({s2s_cafile, LServer}) of
+	undefined ->
+	    ejabberd_pkix:ca_file();
+	File ->
+	    File
+    end.
+
 %%====================================================================
 %% gen_server callbacks
 %%====================================================================