Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Change the priority of trust-store location search so that environment variables SSL_CERT_FILE and SSL_CERT_DIR take precedence over the ssl-ca-location setting. This allows a one-command override of the ssl-ca-location for testing or debugging. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
e225dc9deca843d6a45a269343fb53e5 |
| User & Date: | drh 2022-01-19 15:35:43.305 |
Context
|
2022-01-19
| ||
| 16:00 | If there is a global ssl-ca-location setting, make sure it is used when trying to locate the trust store for any client TLS operation. check-in: 0ca1fc4d98 user: drh tags: trunk | |
| 15:35 | Change the priority of trust-store location search so that environment variables SSL_CERT_FILE and SSL_CERT_DIR take precedence over the ssl-ca-location setting. This allows a one-command override of the ssl-ca-location for testing or debugging. check-in: e225dc9dec user: drh tags: trunk | |
| 14:42 | Add short option -ci for --checkin in 'fossil diff'. check-in: c8a7ee7e4c user: danield tags: trunk | |
Changes
Changes to src/http_ssl.c.
| ︙ | ︙ | |||
246 247 248 249 250 251 252 |
}
/*
** Call this routine once before any other use of the SSL interface.
** This routine does initial configuration of the SSL module.
*/
static void ssl_global_init_client(void){
| < > > > > > > | > > > > > > > > > | < < > > | > | < | | > > | < | > | | > > > > | | < < | 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 |
}
/*
** Call this routine once before any other use of the SSL interface.
** This routine does initial configuration of the SSL module.
*/
static void ssl_global_init_client(void){
const char *identityFile;
if( sslIsInit==0 ){
const char *zFile;
const char *zCaFile = 0;
const char *zCaDirectory = 0;
int i;
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
sslCtx = SSL_CTX_new(SSLv23_client_method());
/* Disable SSLv2 and SSLv3 */
SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
/* Find the trust store */
zFile = 0;
for(i=0; zFile==0 && i<5; i++){
switch( i ){
case 0: /* First priority is environmentn variables */
zFile = fossil_getenv(X509_get_default_cert_file_env());
break;
case 1:
zFile = fossil_getenv(X509_get_default_cert_dir_env());
break;
case 2:
zFile = db_get("ssl-ca-location",0);
break;
case 3:
zFile = X509_get_default_cert_file();
break;
case 4:
zFile = X509_get_default_cert_dir();
break;
}
if( zFile==0 ) continue;
switch( file_isdir(zFile, ExtFILE) ){
case 0: { /* doesn't exist */
zFile = 0;
break;
}
case 1: { /* directory */
zCaFile = 0;
zCaDirectory = zFile;
break;
}
case 2: { /* file */
zCaFile = zFile;
zCaDirectory = 0;
break;
}
}
}
if( zFile==0 ){
/* fossil_fatal("Cannot find a trust store"); */
}else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){
fossil_fatal("Cannot load CA root certificates from %s", zFile);
}
/* Load client SSL identity, preferring the filename specified on the
** command line */
if( g.zSSLIdentity!=0 ){
identityFile = g.zSSLIdentity;
}else{
|
| ︙ | ︙ | |||
952 953 954 955 956 957 958 |
" The version of the OpenSSL library being used\n"
" by this instance of Fossil. Version 3.0.0 or\n"
" later is recommended.\n\n"
);
}
fossil_print("Trust store location\n");
| < < < < < < < < < < < < | > > > | > > > > > > > > > > | 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 |
" The version of the OpenSSL library being used\n"
" by this instance of Fossil. Version 3.0.0 or\n"
" later is recommended.\n\n"
);
}
fossil_print("Trust store location\n");
zName = X509_get_default_cert_file_env();
zValue = fossil_getenv(zName);
if( zValue==0 ) zValue = "";
trust_location_usable(zValue, &zUsed);
nName = strlen(zName);
fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue);
zName = X509_get_default_cert_dir_env();
zValue = fossil_getenv(zName);
if( zValue==0 ) zValue = "";
trust_location_usable(zValue, &zUsed);
nName = strlen(zName);
fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue);
if( verbose ){
fossil_print("\n"
" Environment variables that determine alternative locations for\n"
" the root certificates used by Fossil when it is acting as a SSL\n"
" client. If specified, these alternative locations take top\n"
" priority.\n\n"
);
}
zValue = db_get("ssl-ca-location","");
trust_location_usable(zValue, &zUsed);
fossil_print(" ssl-ca-location: %s\n", zValue);
if( verbose ){
fossil_print("\n"
" This setting is the name of a file or directory that contains\n"
" the complete set of root certificates used by Fossil when it\n"
" is acting as a SSL client. If defined, this setting takes\n"
" priority over built-in paths.\n\n"
);
}
zValue = X509_get_default_cert_file();
trust_location_usable(zValue, &zUsed);
fossil_print(" OpenSSL-cert-file: %s\n", zValue);
zValue = X509_get_default_cert_dir();
trust_location_usable(zValue, &zUsed);
fossil_print(" OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir());
|
| ︙ | ︙ |