Index: /trunk/include/iprt/http.h
===================================================================
--- /trunk/include/iprt/http.h	(revision 45330)
+++ /trunk/include/iprt/http.h	(revision 45331)
@@ -5,5 +5,5 @@
 
 /*
- * Copyright (C) 2012 Oracle Corporation
+ * Copyright (C) 2012-2013 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -87,5 +87,4 @@
                              const char *pcszProxyUser, const char *pcszProxyPwd);
 
-
 /**
  * Set custom headers.
@@ -98,4 +97,14 @@
  */
 RTR3DECL(int) RTHttpSetHeaders(RTHTTP hHttp, uint32_t cHeaders, const char *pcszHeaders[]);
+
+/**
+ * Set a custom certification authority file, containing root certificates.
+ *
+ * @returns iprt status code.
+ *
+ * @param    hHttp         HTTP interface handle.
+ * @param    pcszCAFile    File name containing root certificates.
+ */
+RTR3DECL(int) RTHttpSetCAFile(RTHTTP hHttp, const char *pcszCAFile);
 /** @} */
 
Index: /trunk/src/VBox/Runtime/common/misc/http.cpp
===================================================================
--- /trunk/src/VBox/Runtime/common/misc/http.cpp	(revision 45330)
+++ /trunk/src/VBox/Runtime/common/misc/http.cpp	(revision 45331)
@@ -1,3 +1,2 @@
-
 /* $Id$ */
 /** @file
@@ -6,5 +5,5 @@
 
 /*
- * Copyright (C) 2012 Oracle Corporation
+ * Copyright (C) 2012-2013 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -35,4 +34,5 @@
 #include <iprt/mem.h>
 #include <iprt/string.h>
+#include <iprt/file.h>
 
 #include <curl/curl.h>
@@ -49,4 +49,5 @@
     long lLastResp;
     struct curl_slist *pHeaders;
+    const char *pcszCAFile;
 } RTHTTPINTERNAL;
 typedef RTHTTPINTERNAL *PRTHTTPINTERNAL;
@@ -198,4 +199,14 @@
 }
 
+RTR3DECL(int) RTHttpSetCAFile(RTHTTP hHttp, const char *pcszCAFile)
+{
+    PRTHTTPINTERNAL pHttpInt = hHttp;
+    RTHTTP_VALID_RETURN(pHttpInt);
+
+    pHttpInt->pcszCAFile = pcszCAFile;
+
+    return VINF_SUCCESS;
+}
+
 RTR3DECL(int) RTHttpGet(RTHTTP hHttp, const char *pcszUrl, char **ppszResponse)
 {
@@ -213,8 +224,13 @@
 #endif
 
-    /* XXX */
-    rcCurl = curl_easy_setopt(pHttpInt->pCurl, CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt");
-    if (CURL_FAILED(rcCurl))
-        return VERR_INTERNAL_ERROR;
+    const char *pcszCAFile = "/etc/ssl/certs/ca-certificates.crt";
+    if (pHttpInt->pcszCAFile)
+        pcszCAFile = pHttpInt->pcszCAFile;
+    if (RTFileExists(pcszCAFile))
+    {
+        rcCurl = curl_easy_setopt(pHttpInt->pCurl, CURLOPT_CAINFO, pcszCAFile);
+        if (CURL_FAILED(rcCurl))
+            return VERR_INTERNAL_ERROR;
+    }
 
     RTHTTPMEMCHUNK chunk = { NULL, 0 };
Index: /trunk/src/VBox/Runtime/testcase/tstHttp.cpp
===================================================================
--- /trunk/src/VBox/Runtime/testcase/tstHttp.cpp	(revision 45330)
+++ /trunk/src/VBox/Runtime/testcase/tstHttp.cpp	(revision 45331)
@@ -5,5 +5,5 @@
 
 /*
- * Copyright (C) 2012 Oracle Corporation
+ * Copyright (C) 2012-2013 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -31,7 +31,10 @@
 #include <iprt/http.h>
 #include <iprt/mem.h>
+#include <iprt/file.h>
 #include <iprt/stream.h>
+#include <iprt/string.h>
 #include <iprt/initterm.h>
-#include <iprt/thread.h>
+
+#define CAFILE_NAME "tstHttp-tempcafile.crt"
 
 int main()
@@ -44,4 +47,57 @@
     int rc = RTHttpCreate(&hHttp);
     char *pszBuf = NULL;
+    PRTSTREAM CAFile = NULL;
+
+    // create certificate file
+    rc = RTStrmOpen(CAFILE_NAME, "w+b", &CAFile);
+
+    // fetch root CA certificate (new one, often avoided in cert chains by
+    // using an intermediate cert which is signed by old root)
+    if (RT_SUCCESS(rc))
+        rc = RTHttpGet(hHttp,
+                       "http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem",
+                       &pszBuf);
+    if (RT_SUCCESS(rc) && pszBuf)
+    {
+	/// @todo check certificate fingerprint against a strong hash,
+	// otherwise there's a simple way for a man-in-the-middle attack
+        rc = RTStrmWrite(CAFile, pszBuf, strlen(pszBuf));
+	if (RT_SUCCESS(rc))
+            rc = RTStrmWrite(CAFile, RTFILE_LINEFEED, strlen(RTFILE_LINEFEED));
+    }
+    if (pszBuf)
+    {
+        RTMemFree(pszBuf);
+        pszBuf = NULL;
+    }
+
+    // fetch root CA certificate (old one, but still very widely used)
+    if (RT_SUCCESS(rc))
+        rc = RTHttpGet(hHttp,
+                       "http://www.verisign.com/repository/roots/root-certificates/PCA-3.pem",
+                       &pszBuf);
+    if (RT_SUCCESS(rc) && pszBuf)
+    {
+	/// @todo check certificate fingerprint against a strong hash,
+	// otherwise there's a simple way for a man-in-the-middle attack
+        rc = RTStrmWrite(CAFile, pszBuf, strlen(pszBuf));
+	if (RT_SUCCESS(rc))
+            rc = RTStrmWrite(CAFile, RTFILE_LINEFEED, strlen(RTFILE_LINEFEED));
+    }
+    if (pszBuf)
+    {
+        RTMemFree(pszBuf);
+        pszBuf = NULL;
+    }
+
+    // close certificate file
+    if (CAFile)
+    {
+        RTStrmClose(CAFile);
+        CAFile = NULL;
+    }
+
+    if (RT_SUCCESS(rc))
+        rc = RTHttpSetCAFile(hHttp, CAFILE_NAME);
     if (RT_SUCCESS(rc))
         rc = RTHttpGet(hHttp,
@@ -50,7 +106,12 @@
     RTHttpDestroy(hHttp);
 
+    if (RT_FAILURE(rc))
+        cErrors++;
+
     RTPrintf("Error code: %Rrc\nGot: %s\n", rc, pszBuf);
     RTMemFree(pszBuf);
 
+//    RTFileDelete(CAFILE_NAME);
+
     return !!cErrors;
 }