Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Disable SSLv3 by default, but provide a new setting "ssl-enable-v3" to enable it. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | disable-sslv3 |
| Files: | files | file ages | folders |
| SHA1: |
9f1f3f34095397183f2b0c278001341c |
| User & Date: | jan.nijtmans 2014-12-17 21:22:17.049 |
Context
|
2014-12-18
| ||
| 08:17 | Merge trunk. Disable SSLv3 without setting to re-enabled it. check-in: d6e8e26d41 user: jan.nijtmans tags: disable-sslv3 | |
|
2014-12-17
| ||
| 21:22 | Disable SSLv3 by default, but provide a new setting "ssl-enable-v3" to enable it. check-in: 9f1f3f3409 user: jan.nijtmans tags: disable-sslv3 | |
| 01:39 | Remove the "Flat-View" submenu option from the /tree pages. The Flat-View page still exists, and is reachable from the /sitemap page. But it is no longer prominently featured. check-in: 47a9d3899a user: drh tags: trunk | |
Changes
Changes to src/db.c.
| ︙ | ︙ | |||
2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 |
{ "pgp-command", 0, 40, 0, 0, "gpg --clearsign -o " },
{ "proxy", 0, 32, 0, 0, "off" },
{ "relative-paths", 0, 0, 0, 0, "on" },
{ "repo-cksum", 0, 0, 0, 0, "on" },
{ "self-register", 0, 0, 0, 0, "off" },
{ "ssh-command", 0, 40, 0, 0, "" },
{ "ssl-ca-location", 0, 40, 0, 0, "" },
{ "ssl-identity", 0, 40, 0, 0, "" },
#ifdef FOSSIL_ENABLE_TCL
{ "tcl", 0, 0, 0, 0, "off" },
{ "tcl-setup", 0, 40, 1, 1, "" },
#endif
#ifdef FOSSIL_ENABLE_TH1_DOCS
{ "th1-docs", 0, 0, 0, 0, "off" },
| > | 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 |
{ "pgp-command", 0, 40, 0, 0, "gpg --clearsign -o " },
{ "proxy", 0, 32, 0, 0, "off" },
{ "relative-paths", 0, 0, 0, 0, "on" },
{ "repo-cksum", 0, 0, 0, 0, "on" },
{ "self-register", 0, 0, 0, 0, "off" },
{ "ssh-command", 0, 40, 0, 0, "" },
{ "ssl-ca-location", 0, 40, 0, 0, "" },
{ "ssl-enable-v3", 0, 0, 0, 0, "off" },
{ "ssl-identity", 0, 40, 0, 0, "" },
#ifdef FOSSIL_ENABLE_TCL
{ "tcl", 0, 0, 0, 0, "off" },
{ "tcl-setup", 0, 40, 1, 1, "" },
#endif
#ifdef FOSSIL_ENABLE_TH1_DOCS
{ "th1-docs", 0, 0, 0, 0, "off" },
|
| ︙ | ︙ | |||
2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 | ** required by OpenSSL. ** If set, this will override the OS default list of ** OpenSSL CAs. If unset, the default list will be used. ** Some platforms may add additional certificates. ** Check your platform behaviour is as required if the ** exact contents of the CA root is critical for your ** application. ** ** ssl-identity The full pathname to a file containing a certificate ** and private key in PEM format. Create by concatenating ** the certificate and private key files. ** This identity will be presented to SSL servers to ** authenticate this client, in addition to the normal ** password authentication. | > > > | 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 | ** required by OpenSSL. ** If set, this will override the OS default list of ** OpenSSL CAs. If unset, the default list will be used. ** Some platforms may add additional certificates. ** Check your platform behaviour is as required if the ** exact contents of the CA root is critical for your ** application. ** ** ssl-enable-v3 If enabled, allow the SSLv3 protocol to be used. ** Default: off ** ** ssl-identity The full pathname to a file containing a certificate ** and private key in PEM format. Create by concatenating ** the certificate and private key files. ** This identity will be presented to SSL servers to ** authenticate this client, in addition to the normal ** password authentication. |
| ︙ | ︙ |
Changes to src/http_ssl.c.
| ︙ | ︙ | |||
90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
/*
** Call this routine once before any other use of the SSL interface.
** This routine does initial configuration of the SSL module.
*/
void ssl_global_init(void){
const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0;
const char *identityFile;
if( sslIsInit==0 ){
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
sslCtx = SSL_CTX_new(SSLv23_client_method());
| > | > | | 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
/*
** Call this routine once before any other use of the SSL interface.
** This routine does initial configuration of the SSL module.
*/
void ssl_global_init(void){
const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0;
const char *identityFile;
int sslDisableFlags = SSL_OP_NO_SSLv2;
if( sslIsInit==0 ){
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
sslCtx = SSL_CTX_new(SSLv23_client_method());
/* Disable SSLv2 and (optionally) SSLv3 */
if (!db_get_boolean("ssl-enable-v3", 0)) sslDisableFlags |= SSL_OP_NO_SSLv3;
SSL_CTX_set_options(sslCtx, sslDisableFlags);
/* Set up acceptable CA root certificates */
zCaSetting = db_get("ssl-ca-location", 0);
if( zCaSetting==0 || zCaSetting[0]=='\0' ){
/* CA location not specified, use platform's default certificate store */
X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx));
}else{
|
| ︙ | ︙ |