增加trusted_cert_load_local开关，控制是否加载本地的pem bundle文件，默认加载。

platform/src/ssl_stream.cpp

@@ -149,6 +149,7 @@ struct ssl_mgr
 	char * ecdhcurve;
 	char * crl_url;
 
+	unsigned int trusted_cert_load_local;
 	struct cert_store_param cert_verify_param;
 	uint8_t ssl_mode_release_buffers;
 	char trusted_cert_file[TFE_PATH_MAX];
@@ -705,13 +706,18 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 		goto error_out;
 	}
 	
-	MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
-		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
-	
-	MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
-		"./resource/tfe/trusted_storage");
+	MESA_load_profile_uint_def(ini_profile, section, "trusted_cert_load_local",
+		&(mgr->trusted_cert_load_local), 1);
+
 	MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0);
-	
+	if(mgr->trusted_cert_load_local)//Other wise, use policy defined trusted CA file.
+	{
+		MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
+			"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
+		
+		MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
+			"./resource/tfe/trusted_storage");
+	}	
 	mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param));
 	if (mgr->trust_CA_store == NULL)
 	{

platform/src/ssl_trusted_cert_storage.cpp

@@ -109,12 +109,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
 	{
 		return NULL;
 	}
-	ret = X509_STORE_load_locations(store, pem_bundle, NULL);
-	if (ret == 0)
+	if(pem_bundle&&strlen(pem_bundle)>0)
 	{
-		return NULL;
+		ret = X509_STORE_load_locations(store, pem_bundle, NULL);
+		if (ret == 0)
+		{
+			return NULL;
+		}
+		TFE_LOG_INFO(g_default_logger, "X509 trust store load pem boundle: %s", pem_bundle);
 	}
-	
 	X509_VERIFY_PARAM *x509_param=NULL;
 	if(param->check_crl)
 	{	
@@ -122,31 +125,35 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di
 		X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK);
 		X509_STORE_set1_param(store, x509_param);
 		X509_VERIFY_PARAM_free(x509_param);
+		TFE_LOG_INFO(g_default_logger, "X509 trust store enable CRL check");
 	}
 	struct dirent **namelist = NULL;
-	n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
-	if(n < 0)
+	if(pem_dir&&strlen(pem_dir)>0)
 	{
-		return store;
-	}
-	
-	for(i=0;i<n;i++)
-	{
-		snprintf(path, sizeof(path), "%s/%s",pem_dir, namelist[i]->d_name);
-		if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem"))
+		n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
+		if(n < 0)
 		{
-			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path);
+			return store;
 		}
-		else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl"))
+		
+		for(i=0;i<n;i++)
 		{
-			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path);
+			snprintf(path, sizeof(path), "%s/%s",pem_dir, namelist[i]->d_name);
+			if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem"))
+			{
+				_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path);
+			}
+			else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl"))
+			{
+				_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path);
+			}
+
+			TFE_LOG_INFO(g_default_logger, "X509 trust store found X509 additive trust CA: %s", path);
+			free(namelist[i]);
 		}
 
-		TFE_LOG_INFO(g_default_logger, "Found X509 additive trust CA: %s", path);
-		free(namelist[i]);
+		free(namelist);
 	}
-
-	free(namelist);
 	return store;
 }