@@ -553,9 +553,6 @@ sub _setSSLOptions {
553553sub _KeyChain_or_KeyStore_Export {
554554 my ($self ) = @_ ;
555555
556- # Only MacOSX and MSWin32 are supported
557- return unless $OSNAME =~ / ^darwin|MSWin32$ /
558-
559556 # But we don't need to extract anything if we still use an option to authenticate server certificate
560557 return if $self -> {ca_cert_file } || $self -> {ca_cert_dir } || (ref ($self -> {ssl_fingerprint }) eq ' ARRAY' $self -> {ssl_fingerprint }});
561558
@@ -603,11 +600,14 @@ sub _KeyChain_or_KeyStore_Export {
603600 SUFFIX => " .pem"
604601 );
605602 my $file = $tmpfile -> filename;
603+ my $command = " security find-certificate -a -p"
604+ $command .= " /System/Library/Keychains/SystemRootCertificates.keychain"
605+ if $self -> {ssl_keystore } =~ / ^system-ssl-ca$ /i
606606 getAllLines(
607- command => " security find-certificate -a -p > '$file '"
608- logger => $logger
607+ command => " $command > '$file '"
608+ logger => $logger
609609 );
610- @certs = IO::Socket::SSL::Utils::PEM_file2certs($file )
610+ push @certs , IO::Socket::SSL::Utils::PEM_file2certs($file )
611611 if -s $file ;
612612 } else {
613613 my @certCommands ;
@@ -691,8 +691,15 @@ sub _KeyChain_or_KeyStore_Export {
691691 }
692692 }
693693
694- # Always include default CA file from Mozilla::CA
695- if (Mozilla::CA-> require()) {
694+ # Like Mozilla::CA, but using certs from /etc/ssl/certs
695+ if ($OSNAME !~ / ^darwin|MSWin32$ /
696+ my $sslcacert = " /etc/ssl/certs/ca-certificates.crt"
697+ push @certs , IO::Socket::SSL::Utils::PEM_file2certs($sslcacert )
698+ if -e $sslcacert ;
699+ }
700+
701+ # Include default CA file from Mozilla::CA if @certs is empty
702+ if ((!@certs || $OSNAME eq ' darwin' $self -> {ssl_keystore } !~ / ^system-ssl-ca$ /i -> require()) {
696703 my $cacert = Mozilla::CA::SSL_ca_file();
697704 push @certs , IO::Socket::SSL::Utils::PEM_file2certs($cacert )
698705 if -e $cacert ;
0 commit comments