Fossil: Diff

Differences From Artifact [69903d0525]:

File src/http_ssl.c — part of check-in [d7008b3457] at 2022-01-17 16:56:51 on branch trunk — A general simplification of the server-side TLS logic: Do not store server-certs in settings. Remove the ssl-config subcommands that try to do that. Change command-line options for server-TLS mode on "fossil server" and "fossil http": --cert for the cert file, --pkey for the private key, and omit --tls and --ssl. This check-in supercedes [/timeline?r=tls-server-fix|the tls-server-fix branch]. See [forum:/forumpost/de470658fdf45100|forum post de470658fdf45100]. (user: drh size: 35226)

To Artifact [cd4baa1dae]:

File src/http_ssl.c — part of check-in [0abeed1118] at 2022-01-18 14:20:46 on branch trunk — For the "fossil ssl-config" command, show the five possible locations of the trust store in priority order, and show the one that is actually used at the end. In -v mode, show the hash for each exception. (user: drh size: 36909)

︙			︙
246 247 248 249 250 251 252 ~~253~~ 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277	} /* Call this routine once before any other use of the SSL interface. This routine does initial configuration of the SSL module. / static void ssl_global_init_client(void){ ~~const char zCaSetting ~~= 0, zCaFile = 0, zCaDirectory~~ = 0;~~ const char identityFile; if( sslIsInit==0 ){ SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); sslCtx = SSL_CTX_new(SSLv23_client_method()); / Disable SSLv2 and SSLv3 / SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2\|SSL_OP_NO_SSLv3); / Set up acceptable CA root certificates / zCaSetting = db_get("ssl-ca-location", 0); if( zCaSetting==0 \|\| zCaSetting[0]=='\0' ){ / CA location not specified, use platform's default certificate store / X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); }else{ / User has specified a CA location, make sure it exists and use it / switch( file_isdir(zCaSetting, ExtFILE) ){ case 0: { / doesn't exist / fossil_fatal("ssl-ca-location is set to '%s', " "but is not a file or directory", zCaSetting); break; } case 1: { / directory */	\| > >	246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279	} /* Call this routine once before any other use of the SSL interface. This routine does initial configuration of the SSL module. / static void ssl_global_init_client(void){ const char zCaSetting = 0; const char identityFile; if( sslIsInit==0 ){ SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); sslCtx = SSL_CTX_new(SSLv23_client_method()); / Disable SSLv2 and SSLv3 / SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2\|SSL_OP_NO_SSLv3); / Set up acceptable CA root certificates / zCaSetting = db_get("ssl-ca-location", 0); if( zCaSetting==0 \|\| zCaSetting[0]=='\0' ){ / CA location not specified, use platform's default certificate store / X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); }else{ / User has specified a CA location, make sure it exists and use it / const char zCaFile = 0; const char zCaDirectory = 0; switch( file_isdir(zCaSetting, ExtFILE) ){ case 0: { / doesn't exist / fossil_fatal("ssl-ca-location is set to '%s', " "but is not a file or directory", zCaSetting); break; } case 1: { / directory */
︙			︙
852 853 854 855 856 857 858 859 860 861 862 863 864 865	return -SSL_get_error(pServer->ssl, n); }else{ return n; } } #endif /* FOSSIL_ENABLE_SSL / / ** COMMAND: tls-config* COMMAND: ssl-config Usage: %fossil ssl-config [SUBCOMMAND] [OPTIONS...] [ARGS...]	> > > > > > > > > > > >	854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879	return -SSL_get_error(pServer->ssl, n); }else{ return n; } } #endif /* FOSSIL_ENABLE_SSL / / zPath is a name that might be a file or directory containing a trust store. pzStore is the name of the trust store to actually use. * ** If pzStore is not NULL (meaning no trust store has been found yet) * and if zPath exists, then set pzStore to point to zPath. / static void trust_location_usable(const char zPath, const char pzStore){ if( pzStore!=0 ) return; if( file_isdir(zPath, ExtFILE)>0 ) pzStore = zPath; } / ** COMMAND: tls-config* COMMAND: ssl-config Usage: %fossil ssl-config [SUBCOMMAND] [OPTIONS...] [ARGS...]
︙			︙
880 881 882 883 884 885 886 887 888 889 890 891 892 893	show ?-v? Show the TLS configuration. Add -v to see additional explaination / void test_tlsconfig_info(void){ const char zCmd; size_t nCmd; int nHit = 0; db_find_and_open_repository(OPEN_OK_NOT_FOUND\|OPEN_SUBSTITUTE,0); db_open_config(1,0); if( g.argc==2 \|\| (g.argc>=3 && g.argv[2][0]=='-') ){ zCmd = "show"; nCmd = 4; }else{ zCmd = g.argv[2];	>	894 895 896 897 898 899 900 901 902 903 904 905 906 907 908	show ?-v? Show the TLS configuration. Add -v to see additional explaination / void test_tlsconfig_info(void){ const char zCmd; size_t nCmd; int nHit = 0; db_find_and_open_repository(OPEN_OK_NOT_FOUND\|OPEN_SUBSTITUTE,0); db_open_config(1,0); if( g.argc==2 \|\| (g.argc>=3 && g.argv[2][0]=='-') ){ zCmd = "show"; nCmd = 4; }else{ zCmd = g.argv[2];
︙			︙
912 913 914 915 916 917 918 919 920 921 922 923 924 ~~925~~ 926 927 928 929 930 931 ~~932~~ 933 934 935 936 937 938 939 940 941 ~~942~~ ~~943~~ 944 945 ~~946 947 948 949 950~~ 951 952 953 954 955 956 957 ~~958~~ 959 960 961 962 ~~963~~ 964 965 ~~966 967 968 969~~ 970 971 ~~972~~ 973 ~~974~~ 975 976 ~~977~~ ~~978~~ ~~979~~ ~~980~~ 981 982 983 ~~984~~ 985 986 987 988 989 990 991 992 993 994 ~~995~~ 996 997 ~~998~~ 999 1000 1001 1002 1003 ~~1004~~ ~~1005~~ 1006 1007 1008 1009 1010 1011 1012	"PRAGMA secure_delete=ON;" "DELETE FROM config WHERE name GLOB 'ssl-';" ); db_protect_pop(); }else if( strncmp("show",zCmd,nCmd)==0 ){ const char zName, zValue; size_t nName; Stmt q; int verbose = find_option("verbose","v",0)!=0; verify_all_options(); #if !defined(FOSSIL_ENABLE_SSL) ~~fossil_print("OpenSSL-version: (none)\n");~~ if( verbose ){ fossil_print("\n" " The OpenSSL library is not used by this build of Fossil\n\n" ); } #else ~~fossil_print("OpenSSL-version: %s (0x%09x)\n",~~ SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); if( verbose ){ fossil_print("\n" " The version of the OpenSSL library being used\n" " by this instance of Fossil. Version 3.0.0 or\n" " later is recommended.\n\n" ); } ~~fossil_print("Open~~SSL-cert-file: %s~~\n"~~, X509_get_default_cert_file()~~);~~ ~~fossil_print("~~OpenSSL~~-cert~~-dir:~~ %s\n", ~~X509_g~~e~~t_default_cert_dir()~~);~~ if( verbose ){ fossil_print("\n" " The de~~fault locations for th~~e set of root certificates\n" ~~" used by the \"fossil sync\" and similar commands to verify\n"~~ ~~" the identity of servers for \"https:\" URLs. These values\n"~~ " ~~come into play when Fossil~~ is ~~used~~ as a ~~TLS~~ client. These\n" ~~" values are built into your OpenSSL library.\n\n"~~ ); } zName = X509_get_default_cert_file_env(); zValue = fossil_getenv(zName); if( zValue==0 ) zValue = ""; nName = strlen(zName); ~~fossil_print("%s:%s%s\n", zName, 18-nName, "", zValue);~~ zName = X509_get_default_cert_dir_env(); zValue = fossil_getenv(zName); if( zValue==0 ) zValue = ""; nName = strlen(zName); ~~fossil_print("%s:%s%s\n", zName, 18-nName, "", zValue);~~ if( verbose ){ fossil_print("\n" " Alternative locations for ~~the root certificates used by Fossil~~\n" " when it is acting as a SSL ~~client in order to verify the identity~~\n" " of se~~rvers~~. If specified, these alternative locations override\n" " the built-in locations.\n\n" ); } ~~#endif / FOSSIL_ENABLE_SSL /~~ ~~fossil_print("~~ssl~~-ca-~~location:~~ %s\n", ~~db_g~~e~~t("ssl-ca-location","")~~);~~ if( verbose ){ fossil_print("\n" ~~" This setting is the name of a file or directory that contains\n"~~ ~~" ~~the complete set of root certificates~~ used by Fossil whe~~n it~~\n"~~ ~~" is acting as a SSL client. If defined, this setting takes\n"~~ ~~" ~~priority~~ ove~~r built-in p~~aths and envi~~ronment variables~~\n\n"~~ ); } ~~fossil_print("ssl-identity: %s\n", db_get("ssl-identity",""));~~ if( verbose ){ fossil_print("\n" " This setting is the name of a file that contains the PEM-format\n" " certificate and private-key used by Fossil clients to authenticate\n" " with servers. Few servers actually require this, so this setting\n" " is usually blank.\n\n" ); } db_prepare(&q, ~~"SELECT name, '' FROM global_config"~~ " WHERE name GLOB 'cert:'" "UNION ALL " ~~"SELECT name, date(mtime,'unixepoch') FROM config"~~ " WHERE name GLOB 'cert:*'" " ORDER BY name" ); nHit = 0; while( db_step(&q)==SQLITE_ROW ){ ~~fossil_print("exception: %-40s %s\n",~~ ~~db_column_text(&q,0)+5, db_column_text(&q,1));~~ nHit++; } db_finalize(&q); if( nHit && verbose ){ fossil_print("\n" " The exceptions are server certificates that the Fossil client\n" " is unable to verify using root certificates, but which should be\n"	> \| \| \| > > \| > \| < < \| < > > \| > \| \| \| \| \| < > > \| > > > < > \| > > > > > \| > > > > > > > \| > > > > \| \| \| > > \| > > > > > \| >	927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059	"PRAGMA secure_delete=ON;" "DELETE FROM config WHERE name GLOB 'ssl-';" ); db_protect_pop(); }else if( strncmp("show",zCmd,nCmd)==0 ){ const char zName, zValue; const char zUsed = 0; /* Trust store location actually used / size_t nName; Stmt q; int verbose = find_option("verbose","v",0)!=0; verify_all_options(); #if !defined(FOSSIL_ENABLE_SSL) fossil_print("OpenSSL-version: (none)\n"); if( verbose ){ fossil_print("\n" " The OpenSSL library is not used by this build of Fossil\n\n" ); } #else fossil_print("OpenSSL-version: %s (0x%09x)\n", SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); if( verbose ){ fossil_print("\n" " The version of the OpenSSL library being used\n" " by this instance of Fossil. Version 3.0.0 or\n" " later is recommended.\n\n" ); } fossil_print("Trust store location\n"); zValue = db_get("ssl-ca-location",""); trust_location_usable(zValue, &zUsed); fossil_print(" ssl-ca-location: %s\n", zValue); if( verbose ){ fossil_print("\n" " This setting is the name of a file or directory that contains\n" " the complete set of root certificates used by Fossil when it\n" " is acting as a SSL client. If defined, this setting takes\n" " priority over built-in paths and environment variables\n\n" ); } zName = X509_get_default_cert_file_env(); zValue = fossil_getenv(zName); if( zValue==0 ) zValue = ""; trust_location_usable(zValue, &zUsed); nName = strlen(zName); fossil_print(" %s:%s%s\n", zName, 19-nName, "", zValue); zName = X509_get_default_cert_dir_env(); zValue = fossil_getenv(zName); if( zValue==0 ) zValue = ""; trust_location_usable(zValue, &zUsed); nName = strlen(zName); fossil_print(" %s:%s%s\n", zName, 19-nName, "", zValue); if( verbose ){ fossil_print("\n" " Environment variables that determine alternative locations for\n" " the root certificates used by Fossil when it is acting as a SSL\n" " client. If specified, these alternative locations override\n" " the built-in locations.\n\n" ); } zValue = X509_get_default_cert_file(); trust_location_usable(zValue, &zUsed); fossil_print(" OpenSSL-cert-file: %s\n", zValue); zValue = X509_get_default_cert_dir(); trust_location_usable(zValue, &zUsed); fossil_print(" OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); if( verbose ){ fossil_print("\n" " The default locations for the set of root certificates\n" " used by the \"fossil sync\" and similar commands to verify\n" " the identity of servers for \"https:\" URLs. These values\n" " come into play when Fossil is used as a TLS client. These\n" " values are built into your OpenSSL library.\n\n" ); } if( zUsed==0 ) zUsed = ""; fossil_print(" Trust store used: %s\n", zUsed); if( verbose ){ fossil_print("\n" " The location that is actually used for the root certificates\n" " used to verify the identity of servers for \"https:\" URLs.\n" " This will be one of the first of the five locations listed\n" " above that actually exists.\n\n" ); } #endif / FOSSIL_ENABLE_SSL / fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); if( verbose ){ fossil_print("\n" " This setting is the name of a file that contains the PEM-format\n" " certificate and private-key used by Fossil clients to authenticate\n" " with servers. Few servers actually require this, so this setting\n" " is usually blank.\n\n" ); } db_prepare(&q, "SELECT name, '', value FROM global_config" " WHERE name GLOB 'cert:'" "UNION ALL " "SELECT name, date(mtime,'unixepoch'), value FROM config" " WHERE name GLOB 'cert:'" " ORDER BY name" ); nHit = 0; while( db_step(&q)==SQLITE_ROW ){ / 123456789 123456789 123456789 */ if( verbose ){ fossil_print("exception: %-40s %s\n" " hash: %.57s\n", db_column_text(&q,0)+5, db_column_text(&q,1), db_column_text(&q,2)); }else{ fossil_print("exception: %-40s %s\n", db_column_text(&q,0)+5, db_column_text(&q,1)); } nHit++; } db_finalize(&q); if( nHit && verbose ){ fossil_print("\n" " The exceptions are server certificates that the Fossil client\n" " is unable to verify using root certificates, but which should be\n"
︙			︙