305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
}
}
if( zFile==0 ){
/* fossil_fatal("Cannot find a trust store"); */
}else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){
fossil_fatal("Cannot load CA root certificates from %s", zFile);
}
/* Load client SSL identity, preferring the filename specified on the
** command line */
if( g.zSSLIdentity!=0 ){
identityFile = g.zSSLIdentity;
}else{
identityFile = db_get("ssl-identity", 0);
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
|
}
}
if( zFile==0 ){
/* fossil_fatal("Cannot find a trust store"); */
}else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){
fossil_fatal("Cannot load CA root certificates from %s", zFile);
}
/* Enable OpenSSL to use the Windows system ROOT certificate store to search for
** certificates missing in the file and directory trust stores already loaded by
** `SSL_CTX_load_verify_locations()'.
** This feature was introduced with OpenSSL 3.2.0, and may be enabled by default
** for future versions of OpenSSL, and explicit initialization may be redundant.
** NOTE TO HACKERS TWEAKING THEIR OPENSSL CONFIGURATION:
** The following OpenSSL configuration options must not be used for this feature
** to be available: `no-autoalginit', `no-winstore'. The Fossil makefiles do not
** currently set these options when building OpenSSL for Windows. */
#if defined (_WIN32)
#if OPENSSL_VERSION_NUMBER >= 0x030200000
SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:");
#endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */
#endif /* _WIN32 */
/* Load client SSL identity, preferring the filename specified on the
** command line */
if( g.zSSLIdentity!=0 ){
identityFile = g.zSSLIdentity;
}else{
identityFile = db_get("ssl-identity", 0);
|
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
|
" The default locations for the set of root certificates\n"
" used by the \"fossil sync\" and similar commands to verify\n"
" the identity of servers for \"https:\" URLs. These values\n"
" come into play when Fossil is used as a TLS client. These\n"
" values are built into your OpenSSL library.\n\n"
);
}
if( zUsed==0 ) zUsed = "";
fossil_print(" Trust store used: %s\n", zUsed);
if( verbose ){
fossil_print("\n"
" The location that is actually used for the root certificates\n"
" used to verify the identity of servers for \"https:\" URLs.\n"
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
|
" The default locations for the set of root certificates\n"
" used by the \"fossil sync\" and similar commands to verify\n"
" the identity of servers for \"https:\" URLs. These values\n"
" come into play when Fossil is used as a TLS client. These\n"
" values are built into your OpenSSL library.\n\n"
);
}
#if defined (_WIN32)
#if OPENSSL_VERSION_NUMBER >= 0x030200000
fossil_print(" OpenSSL-winstore: Yes\n");
#else /* OPENSSL_VERSION_NUMBER >= 0x030200000 */
fossil_print(" OpenSSL-winstore: No\n");
#endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */
if( verbose ){
fossil_print("\n"
" OpenSSL 3.2.0 (or newer) also uses the certificates managed by\n"
" the Windows operating system.\n\n"
);
}
#endif /* _WIN32 */
if( zUsed==0 ) zUsed = "";
fossil_print(" Trust store used: %s\n", zUsed);
if( verbose ){
fossil_print("\n"
" The location that is actually used for the root certificates\n"
" used to verify the identity of servers for \"https:\" URLs.\n"
|