From 33b1b2f73aa6a49efd98a05debd5ebf0ba1c9400 Mon Sep 17 00:00:00 2001
From: mailsvb <mailsvb@gmail.com>
Date: Fri, 16 Sep 2016 15:58:31 +0200
Subject: [PATCH] allow ca_bundles path to be configurable from command line

---
 testssl.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index d9a1679..83955fb 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -211,6 +211,7 @@ OSSL_VER=""                             # openssl version, will be auto-determin
 OSSL_VER_MAJOR=0
 OSSL_VER_MINOR=0
 OSSL_VER_APPENDIX="none"
+CA_BUNDLES="$INSTALL_DIR/etc/*.pem"
 HAS_DH_BITS=${HAS_DH_BITS:-false}       # initialize openssl variables
 HAS_SSL2=false
 HAS_SSL3=false
@@ -3798,7 +3799,6 @@ determine_trust() {
 	local all_ok=true
 	local some_ok=false
      local code
-     local ca_bundles="$INSTALL_DIR/etc/*.pem"
      local spaces="                              "
      local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
      local addtl_warning
@@ -3812,7 +3812,7 @@ determine_trust() {
           fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning"
      fi
      debugme outln
-	for bundle_fname in $ca_bundles; do
+	for bundle_fname in $CA_BUNDLES; do
 		certificate_file[i]=$(basename ${bundle_fname//.pem})
           if [[ ! -r $bundle_fname ]]; then
                pr_warningln "\"$bundle_fname\" cannot be found / not readable"
@@ -7344,6 +7344,8 @@ tuning options (can also be preset via environment variables):
      --proxy <host>:<port>         connect via the specified HTTP proxy
      -6                            use also IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
      --sneaky                      leave less traces in target logs: user agent, referer
+     --ca-bundles <PATH>           set path to trusted ca certificates for building the chain of trust
+                                   defaults to "$INSTALL_DIR/etc/*.pem"
 
 output options (can also be preset via environment variables):
      --warnings <batch|off|false>  "batch" doesn't wait for keypress, "off" or "false" skips connection warning
@@ -8391,6 +8393,10 @@ parse_cmd_line() {
                -E|--cipher-per-proto|--cipher_per_proto)
                     do_cipher_per_proto=true
                     ;;
+               --ca-bundles|--ca-bundles=*)
+                    CA_BUNDLES=$(parse_opt_equal_sign "$1" "$2")
+                    [[ $? -eq 0 ]] && shift
+                    ;;
                -p|--protocols)
                     do_protocols=true
                     do_spdy=true