Commit 9a866b18 authored by Committed by Ralph GilesBrowse files
Support the Windows system certificate store.
OpenSSL on Windows does not pull certificates from any well-known location (in fact most binaries continue to use the default Unix path, which usually doesn't even exist). We could ship our own set of certificates (e.g., cloned from the Mozilla root list), but I don't want to be responsible for releasing libopusfile updates when things like DigiNotar fiasco  happen. That approach also means that we would need to load, parse, and keep a copy of every certificate in the system for every SSL session. OpenSSL has had patches sitting in their bugtracker which load certificates from the Crypto API's system certificate store. However, those patches have been sitting around for several years, so movement on that front in the near future seems unlikely. We don't care about using OpenSSL's builtin CAPI engine, though, so we can do the same thing with less than 200 lines of code. This puts the maintenance burden on Windows Update, which will be far more timely and effective than getting people to upgrade libopusfile, and gets us on-demand loading of just the certificates we need.  <https://bugzilla.mozilla.org/show_bug.cgi?id=682927>