Using ssl_ca_path prevents verification using system trusted CA
Openssl is using certs either from ssl_ca_path or system ca store. There is not fallback to system when the CA is not found in ssl_ca_path.
Setting ssl_ca_path to .hammer/certs thus disables using system trusted CAs for verification.
Fixes #19390 - use local ca cert store instead of ssl_ca_path
This patch changes the way how the localy downloaded certs are handled.
Setting of ssl_ca_path prevented usage of system trusted CA certs for
With this patch when the ca cert is downloaded with --fetch-ca-cert it is
stored to the local store. When Hammer opens a connection it checks if
any cert for the actual URI is present in the store and uses it
by setting ssl-ca-file. This works only if ssl_ca-path and ssl_ca_file
is not set.
Please enter the commit message for your changes. Lines starting