Fossil

Check-in [b8b22d795e]
Login

Check-in [b8b22d795e]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Update the TLS doc to mention the use of the Windows root certificates (intented more as a reminder from a non-tech-writer and non-security-expert to properly document the feature once more people have used it and not reported any problems).
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: b8b22d795e5b51b55aca70e770f90b2c3430e63606029b409338be5005d08d30
User & Date: florian 2024-07-15 16:42:00.000
Context
2024-07-18
10:22
Wider columns on the /help page, so that longer command names do not overflow the available column width. ... (check-in: b919738dc5 user: drh tags: trunk)
2024-07-15
16:42
Update the TLS doc to mention the use of the Windows root certificates (intented more as a reminder from a non-tech-writer and non-security-expert to properly document the feature once more people have used it and not reported any problems). ... (check-in: b8b22d795e user: florian tags: trunk)
10:42
Reduce the WARNING that the Windows root certificates cannot be loaded to a NOTICE and output it on the same channel as the "Unable to verify SSL cert from ... accept this cert and continue (y/N/fingerprint)?" prompt. ... (check-in: 5d993d5439 user: florian tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to www/ssl.wiki. 
187
188
189
190
191
192
193
















194
195
196
197
198
199
200

fossil set --global ssl-ca-location %userprofile%\cacert.pem
</pre>

This can also happen if you've linked Fossil to a version of OpenSSL
[#openssl-src|built from source]. That same <tt>cacert.pem</tt> fix can
work in that case, too.

















When you build Fossil on Linux platforms against the binary OpenSSL
package provided with the OS, you typically get a root cert store along
with the platform OpenSSL package, either built-in or as a hard
dependency.


<h4>Client-Side Certificates</h4>








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>








187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216

fossil set --global ssl-ca-location %userprofile%\cacert.pem
</pre>

This can also happen if you've linked Fossil to a version of OpenSSL
[#openssl-src|built from source]. That same <tt>cacert.pem</tt> fix can
work in that case, too.

<blockquote>
OpenSSL 3.2.0 or greater is able to use the stock CA certificates
managed by Windows, and Fossil 2.25 (still in development as of
2024-07-15) takes advantage of this feature. This <em>possibly</em>
eliminates the need to manually install the Mozilla certificate package,
for example when connecting to Fossil servers secured by the widely-used
Let's Encrypt certificates. Run the following command to check if the
feature is supported:

<pre>
fossil tls-config show -v
</pre>

(See the "OpenSSL-winstore" section, requires Fossil 2.25 or greater.)
</blockquote>

When you build Fossil on Linux platforms against the binary OpenSSL
package provided with the OS, you typically get a root cert store along
with the platform OpenSSL package, either built-in or as a hard
dependency.


<h4>Client-Side Certificates</h4>