Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Added very basic client certificate support for https. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | jan-clientcert |
| Files: | files | file ages | folders |
| SHA1: |
513ea81005b9292c16b3896c339de120 |
| User & Date: | jan 2011-03-25 18:20:19.560 |
Context
|
2011-03-29
| ||
| 14:12 | Add support for feeding OpenSSL a CA certificate file/path for proper chain verification. This is one of several possible solutions to ticket [727af73f46]. Also cache the CA certificate file/path, client certificate/key file/path references in the global config (similar to how the server certificates are cached), and attempt to use them if the corresponding environment variables have not been set. Prefixed a function with ssl_ to conform to existing naming conventions. ... (check-in: b28995ccbd user: jan tags: jan-clientcert) | |
|
2011-03-25
| ||
| 18:20 | Added very basic client certificate support for https. ... (check-in: 513ea81005 user: jan tags: jan-clientcert) | |
|
2011-03-10
| ||
| 17:42 | Show the name of the user that is doing the commit in the prompt section commit comment template. ... (check-in: cdc4249268 user: drh tags: trunk) | |
Changes
Changes to src/http_ssl.c.
| ︙ | ︙ | |||
129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
** Return the number of errors.
*/
int ssl_open(void){
X509 *cert;
int hasSavedCertificate = 0;
char *connStr ;
ssl_global_init();
/* Get certificate for current server from global config and
* (if we have it in config) add it to certificate store.
*/
cert = ssl_get_certificate();
if ( cert!=NULL ){
X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert);
| > > > | 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
** Return the number of errors.
*/
int ssl_open(void){
X509 *cert;
int hasSavedCertificate = 0;
char *connStr ;
ssl_global_init();
/* If client certificate/key has been set, load them into the SSL context. */
load_client_authfiles();
/* Get certificate for current server from global config and
* (if we have it in config) add it to certificate store.
*/
cert = ssl_get_certificate();
if ( cert!=NULL ){
X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert);
|
| ︙ | ︙ | |||
283 284 285 286 287 288 289 290 291 |
if( got<=0 ) break;
total += got;
N -= got;
pContent = (void*)&((char*)pContent)[got];
}
return total;
}
#endif /* FOSSIL_ENABLE_SSL */
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 |
if( got<=0 ) break;
total += got;
N -= got;
pContent = (void*)&((char*)pContent)[got];
}
return total;
}
/*
** Read client certificate and key, if set, and store them in the SSL context
** to allow communication with servers which are configured to verify client
** certificates and certificate chains.
** We only support PEM and don't support password protected keys.
*/
void load_client_authfiles(void)
{
const char *certfile;
const char *keyfile;
certfile = getenv("FOSSIL_CCERT");
if( certfile == NULL )
return;
keyfile = getenv("FOSSIL_CKEY");
/* Assume the key is in the certificate file if key file was not specified */
if( certfile && !keyfile )
keyfile = certfile;
if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM) <= 0 ){
fossil_fatal("Unable to open client certificate in %s.", certfile);
}
if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM) <= 0 ){
fossil_fatal("Unable to open client key in %s.", keyfile);
}
if( !SSL_CTX_check_private_key(sslCtx) ){
fossil_fatal("Private key does not match the certificate public key.");
}
}
#endif /* FOSSIL_ENABLE_SSL */
|