2 files changed, 19 insertions, 10 deletions

diff --git a/src/libwaitress/waitress.c b/src/libwaitress/waitress.c
index aff023b..8b6daa8 100644
--- a/src/libwaitress/waitress.c
+++ b/src/libwaitress/waitress.c
@@ -55,11 +55,19 @@ typedef struct {
 	size_t pos;
 } WaitressFetchBufCbBuffer_t;
 
-void WaitressInit (WaitressHandle_t *waith) {
+void WaitressInit (WaitressHandle_t *waith, const char *caPath) {
 	assert (waith != NULL);
 
 	memset (waith, 0, sizeof (*waith));
 	waith->timeout = 30000;
+#ifdef ENABLE_TLS
+	gnutls_certificate_allocate_credentials (&waith->tlsCred);
+	if (caPath == NULL) {
+		caPath = "/etc/ssl/certs/ca-certificates.crt";
+	}
+	gnutls_certificate_set_x509_trust_file (waith->tlsCred, caPath,
+			GNUTLS_X509_FMT_PEM);
+#endif
 }
 
 void WaitressFree (WaitressHandle_t *waith) {
@@ -67,6 +75,9 @@ void WaitressFree (WaitressHandle_t *waith) {
 
 	free (waith->url.url);
 	free (waith->proxy.url);
+#ifdef ENABLE_TLS
+	gnutls_certificate_free_credentials (waith->tlsCred);
+#endif
 	memset (waith, 0, sizeof (*waith));
 }
 
@@ -1020,10 +1031,6 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) {
 	if (waith->url.tls) {
 		waith->request.read = WaitressGnutlsRead;
 		waith->request.write = WaitressGnutlsWrite;
-		/* FIXME: move creds to waitressinit */
-		gnutls_certificate_allocate_credentials (&waith->request.tlsCred);
-		gnutls_certificate_set_x509_trust_file (waith->request.tlsCred,
-				"/etc/ssl/certs/ca-certificates.crt", GNUTLS_X509_FMT_PEM);
 		gnutls_init (&waith->request.tlsSession, GNUTLS_CLIENT);
 		const char *err;
 		if (gnutls_priority_set_direct (waith->request.tlsSession,
@@ -1032,7 +1039,7 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) {
 		}
 		if (gnutls_credentials_set (waith->request.tlsSession,
 				GNUTLS_CRD_CERTIFICATE,
-				waith->request.tlsCred) != GNUTLS_E_SUCCESS) {
+				waith->tlsCred) != GNUTLS_E_SUCCESS) {
 			return WAITRESS_RET_ERR;
 		}
 
@@ -1047,7 +1054,7 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) {
 		/* certificate verification function */
 		gnutls_session_set_ptr (waith->request.tlsSession,
 				(gnutls_transport_ptr_t) waith);
-		gnutls_certificate_set_verify_function (waith->request.tlsCred,
+		gnutls_certificate_set_verify_function (waith->tlsCred,
 				WaitressTlsVerify);
 	}
 #else
@@ -1073,7 +1080,6 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) {
 	if (waith->url.tls) {
 		gnutls_bye (waith->request.tlsSession, GNUTLS_SHUT_RDWR);
 		gnutls_deinit (waith->request.tlsSession);
-		gnutls_certificate_free_credentials (waith->request.tlsCred);
 	}
 #endif
 	close (waith->request.sockfd);
diff --git a/src/libwaitress/waitress.h b/src/libwaitress/waitress.h
index 9523ede..eb79393 100644
--- a/src/libwaitress/waitress.h
+++ b/src/libwaitress/waitress.h
@@ -93,6 +93,10 @@ typedef struct {
 	void *data;
 	WaitressCbReturn_t (*callback) (void *, size_t, void *);
 	int timeout;
+#ifdef ENABLE_TLS
+	gnutls_certificate_credentials_t tlsCred;
+#endif
+
 	/* per-request data */
 	struct {
 		size_t contentLength, contentReceived, chunkSize;
@@ -100,7 +104,6 @@ typedef struct {
 		char *buf;
 #ifdef ENABLE_TLS
 		gnutls_session_t tlsSession;
-		gnutls_certificate_credentials_t tlsCred;
 #endif
 		/* first argument is WaitressHandle_t, but that's not defined here */
 		WaitressHandlerReturn_t (*dataHandler) (void *, char *, const size_t);
@@ -111,7 +114,7 @@ typedef struct {
 	} request;
 } WaitressHandle_t;
 
-void WaitressInit (WaitressHandle_t *);
+void WaitressInit (WaitressHandle_t *, const char *);
 void WaitressFree (WaitressHandle_t *);
 bool WaitressSetProxy (WaitressHandle_t *, const char *);
 char *WaitressUrlEncode (const char *);