Check-in [c563be1552]
Not logged in

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Noted that linking Fossil to an OpenSSL built from source opens the user to the "no root certs" problem previously solved in www/ssl.wiki.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:c563be15526be6f215521fd3fc084b95907fd93b9f613e275ec8741698d9fdda
User & Date: wyoung 2019-01-28 19:58:26
Context
2019-01-28
19:59
Markdownism fixes in previous check-in: 3982569195 user: wyoung tags: trunk
19:58
Noted that linking Fossil to an OpenSSL built from source opens the user to the "no root certs" problem previously solved in www/ssl.wiki. check-in: c563be1552 user: wyoung tags: trunk
19:52
Clarified the "build from source" option for linking Fossil to a non-platform version of OpenSSL. check-in: 1e21abda9a user: wyoung tags: trunk
Changes

Changes to www/ssl.wiki.

152
153
154
155
156
157
158
159





160

161
162
163
164
165
166
167
<tt>cacert.pem</tt> file. Install it somewhere on your system, then
point Fossil at it like so:

<pre>
     fossil set --global ssl-ca-location /path/to/cacert.pem
</pre>

Linux platforms tend to provide such a root cert store along with the





platform OpenSSL package, either built-in or as a hard dependency.



<h4>Client-Side Certificates</h4>

You can also use client side certificates to add an extra layer of
authentication, over and above Fossil's built in user management. If you
are particularly paranoid, you'll want to use this to remove the ability







|
>
>
>
>
>
|
>







152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
<tt>cacert.pem</tt> file. Install it somewhere on your system, then
point Fossil at it like so:

<pre>
     fossil set --global ssl-ca-location /path/to/cacert.pem
</pre>

This can also happen if you've linked Fossil to a version of OpenSSL
[built from source](#openssl-src). That same `cacert.pem` fix can work
in that case, too.

When you build Fossil on Linux platforms against the binary OpenSSL
package provided with the OS, you typically get a root cert store along
with the platform OpenSSL package, either built-in or as a hard
dependency.


<h4>Client-Side Certificates</h4>

You can also use client side certificates to add an extra layer of
authentication, over and above Fossil's built in user management. If you
are particularly paranoid, you'll want to use this to remove the ability