From a7465d58d79eba9efdaf6e836291afd47ed688ab Mon Sep 17 00:00:00 2001
From: Paul Beckingham <paul@beckingham.net>
Date: Mon, 19 Dec 2016 12:16:22 -0500
Subject: [PATCH] TW-1855: "Well-known" CA certificates not properly
 auto-loaded

- Thanks to Flavio Poletti.
---
 AUTHORS           | 1 +
 ChangeLog         | 2 ++
 src/TLSClient.cpp | 7 +++++++
 3 files changed, 10 insertions(+)

diff --git a/AUTHORS b/AUTHORS
index 15bd1771a..4b5d254d2 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -135,6 +135,7 @@ The following submitted code, packages or analysis, and deserve special thanks:
   Zachary Manning
   jrabbit
   Jelle van der Waa
+  Flavio Poletti
 
 Thanks to the following, who submitted detailed bug reports and excellent
 suggestions:
diff --git a/ChangeLog b/ChangeLog
index 8b184e562..854c6b489 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,8 @@
           (thanks to george js).
 - TW-1820 Install with -DLANGUAGE=2 flag not work.
           (thanks to E. Manuel Cerr'on Angeles)
+- TW-1855 "Well-known" CA certificates not properly auto-loaded
+          (thanks to Flavio Poletti).
 - TW-1857 Change Task::get call to the more efficient Task::has
           (thanks to Zachary Manning).
 - TW-1873 Specify different path to extensions/hooks directory
diff --git a/src/TLSClient.cpp b/src/TLSClient.cpp
index d181d466c..778ea1267 100644
--- a/src/TLSClient.cpp
+++ b/src/TLSClient.cpp
@@ -150,6 +150,13 @@ void TLSClient::init (
   if (ret < 0)
     throw format ("TLS allocation error. {1}", gnutls_strerror (ret)); // All
 
+#if GNUTLS_VERSION_NUMBER >= 0x030014
+  // Automatic loading of system installed CA certificates.
+  ret = gnutls_certificate_set_x509_system_trust (_credentials); // 3.0.20
+  if (ret < 0)
+    throw format ("Bad System Trust. {1}", gnutls_strerror (ret)); // All
+#endif
+
   if (_ca != "" &&
       (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) // All
     throw format ("Bad CA file. {1}", gnutls_strerror (ret)); // All