Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Rename the "tls-config" command into "ssl-config" for consistency. The older "tls-config" command is retained as an alias. Enhance the command to support server certificate management. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | ssl-server |
| Files: | files | file ages | folders |
| SHA3-256: |
f6051784c5eef7377e70eed410058491 |
| User & Date: | drh 2021-12-27 16:13:33.734 |
Context
|
2021-12-27
| ||
| 17:01 | Enable access to the ".well-known" subdirectory, to facilitate ACME. check-in: 6d447b8669 user: drh tags: ssl-server | |
| 16:13 | Rename the "tls-config" command into "ssl-config" for consistency. The older "tls-config" command is retained as an alias. Enhance the command to support server certificate management. check-in: f6051784c5 user: drh tags: ssl-server | |
| 12:49 | Add a built-in self-signed certificate for use with TLS servers. Add --tls and --ssl options to active TLS for "fossil ui" and "fossil server". Add the "tls-server-cert" setting. Automatically start servers as TLS if the redirect-to-https property is 2. check-in: 7532ffa4e3 user: drh tags: ssl-server | |
Changes
Changes to src/http_ssl.c.
| ︙ | ︙ | |||
695 696 697 698 699 700 701 | ** ** If zKeyFile and zCertFile are not NULL, then they are the names ** of disk files that hold the certificate and private-key for the ** server. If zCertFile is not NULL but zKeyFile is NULL, then ** zCertFile is assumed to be a concatenation of the certificate and ** the private-key in the PEM format. ** | | | | 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 |
**
** If zKeyFile and zCertFile are not NULL, then they are the names
** of disk files that hold the certificate and private-key for the
** server. If zCertFile is not NULL but zKeyFile is NULL, then
** zCertFile is assumed to be a concatenation of the certificate and
** the private-key in the PEM format.
**
** If zCertFile is NULL, then "ssl-cert" setting is consulted
** to get the certificate and private-key (concatenated together, in
** the PEM format). If there is no ssl-cert setting, then
** a built-in self-signed cert is used.
*/
void ssl_init_server(const char *zCertFile, const char *zKeyFile){
if( sslIsInit==0 ){
const char *zTlsCert;
SSL_library_init();
SSL_load_error_strings();
|
| ︙ | ︙ | |||
722 723 724 725 726 727 728 |
}
if( zKeyFile==0 ) zKeyFile = zCertFile;
if( SSL_CTX_use_PrivateKey_file(sslCtx, zKeyFile, SSL_FILETYPE_PEM)<=0 ){
ERR_print_errors_fp(stderr);
fossil_fatal("Error loading PRIVATE KEY from file \"%s\"", zKeyFile);
}
}else
| | | | 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 |
}
if( zKeyFile==0 ) zKeyFile = zCertFile;
if( SSL_CTX_use_PrivateKey_file(sslCtx, zKeyFile, SSL_FILETYPE_PEM)<=0 ){
ERR_print_errors_fp(stderr);
fossil_fatal("Error loading PRIVATE KEY from file \"%s\"", zKeyFile);
}
}else
if( (zTlsCert = db_get("ssl-cert",0))!=0 ){
if( sslctx_use_cert_from_mem(sslCtx, zTlsCert, -1)
|| sslctx_use_pkey_from_mem(sslCtx, zTlsCert, -1)
){
fossil_fatal("Error loading the CERT from the"
" 'ssl-cert' setting");
}
}else if( sslctx_use_cert_from_mem(sslCtx, sslSelfCert, -1)
|| sslctx_use_pkey_from_mem(sslCtx, sslSelfPKey, -1) ){
fossil_fatal("Error loading self-signed CERT");
}
if( !SSL_CTX_check_private_key(sslCtx) ){
fossil_fatal("PRIVATE KEY \"%s\" does not match CERT \"%s\"",
|
| ︙ | ︙ | |||
844 845 846 847 848 849 850 851 | return n; } #endif /* FOSSIL_ENABLE_SSL */ /* ** COMMAND: tls-config* ** | > | > > > > > > > > > | | > | > > > | > > | > > > > | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | | > | > > > > > > > > > > | 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 |
return n;
}
#endif /* FOSSIL_ENABLE_SSL */
/*
** COMMAND: tls-config*
** COMMAND: ssl-config
**
** Usage: %fossil ssl-config [SUBCOMMAND] [OPTIONS...] [ARGS...]
**
** This command is used to view or modify the TLS (Transport Layer
** Security) configuration for Fossil. TLS (formerly SSL) is the
** encryption technology used for secure HTTPS transport.
**
** Sub-commands:
**
** clear-cert Remove information about server certificates.
** This is a subset of the "scrub" command.
**
** load-cert PEM-FILES... Identify server certificate files. These
** should be in the PEM format. There are
** normally two files, the certificate and the
** private-key. By default, the text of both
** files is concatenated and added to the
** "ssl-cert" setting. Use --filename to store
** just the filenames.
**
** remove-exception DOMAINS Remove TLS cert exceptions for the domains
** listed. Or remove them all if the --all
** option is specified.
**
** scrub ?--force? Remove all SSL configuration data from the
** repository. Use --force to omit the
** confirmation.
**
** show ?-v? Show the TLS configuration. Add -v to see
** additional explaination
*/
void test_tlsconfig_info(void){
#if !defined(FOSSIL_ENABLE_SSL)
fossil_print("TLS disabled in this build\n");
#else
const char *zCmd;
size_t nCmd;
int nHit = 0;
db_find_and_open_repository(OPEN_OK_NOT_FOUND|OPEN_SUBSTITUTE,0);
db_open_config(1,0);
if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){
zCmd = "show";
nCmd = 4;
}else{
zCmd = g.argv[2];
nCmd = strlen(zCmd);
}
if( strncmp("clear-cert",zCmd,nCmd)==0 && nCmd>=4 ){
int bForce = find_option("force","f",0)!=0;
verify_all_options();
if( !bForce ){
Blob ans;
char cReply;
prompt_user(
"Confirm removing of the SSL server certificate from this repository.\n"
"The removal cannot be undone. Continue (y/N)? ", &ans);
cReply = blob_str(&ans)[0];
if( cReply!='y' && cReply!='Y' ){
fossil_exit(1);
}
}
db_unprotect(PROTECT_ALL);
db_multi_exec(
"PRAGMA secure_delete=ON;"
"DELETE FROM config "
" WHERE name IN ('ssl-cert','ssl-cert-file','ssl-cert-key');"
);
db_protect_pop();
}else
if( strncmp("load-cert",zCmd,nCmd)==0 && nCmd>=4 ){
int bFN = find_option("filename",0,0)!=0;
int i;
Blob allText = BLOB_INITIALIZER;
int haveCert = 0;
int haveKey = 0;
verify_all_options();
db_begin_transaction();
db_unprotect(PROTECT_ALL);
db_multi_exec(
"PRAGMA secure_delete=ON;"
"DELETE FROM config "
" WHERE name IN ('ssl-cert','ssl-cert-file','ssl-cert-key');"
);
nHit = 0;
for(i=3; i<g.argc; i++){
Blob x;
int isCert;
int isKey;
if( !file_isfile(g.argv[i], ExtFILE) ){
fossil_fatal("no such file: \"%s\"", g.argv[i]);
}
blob_read_from_file(&x, g.argv[i], ExtFILE);
isCert = strstr(blob_str(&x),"-----BEGIN CERTIFICATE-----")!=0;
isKey = strstr(blob_str(&x),"-----BEGIN PRIVATE KEY-----")!=0;
if( !isCert && !isKey ){
fossil_fatal("not a certificate or a private key: \"%s\"", g.argv[i]);
}
if( isCert ){
if( haveCert ){
fossil_fatal("more than one certificate provided");
}
haveCert = 1;
if( bFN ){
db_set("ssl-cert-file", file_canonical_name_dup(g.argv[i]), 0);
}else{
blob_append(&allText, blob_buffer(&x), blob_size(&x));
}
if( isKey && !haveKey ){
haveKey = 1;
isKey = 0;
}
}
if( isKey ){
if( haveKey ){
fossil_fatal("more than one private key provided");
}
haveKey = 1;
if( bFN ){
db_set("ssl-key-file", file_canonical_name_dup(g.argv[i]), 0);
}else{
blob_append(&allText, blob_buffer(&x), blob_size(&x));
}
}
}
db_protect_pop();
if( !haveCert ){
if( !haveKey ){
fossil_fatal("missing certificate and private-key");
}else{
fossil_fatal("missing certificate");
}
}else if( !haveKey ){
fossil_fatal("missing private-key");
}
if( !bFN ){
db_set("ssl-cert", blob_str(&allText), 0);
}
db_commit_transaction();
}else
if( strncmp("scrub",zCmd,nCmd)==0 && nCmd>4 ){
int bForce = find_option("force","f",0)!=0;
verify_all_options();
if( !bForce ){
Blob ans;
char cReply;
prompt_user(
"Scrubbing the SSL configuration will permanently delete information.\n"
"Changes cannot be undone. Continue (y/N)? ", &ans);
cReply = blob_str(&ans)[0];
if( cReply!='y' && cReply!='Y' ){
fossil_exit(1);
}
}
db_unprotect(PROTECT_ALL);
db_multi_exec(
"PRAGMA secure_delete=ON;"
"DELETE FROM config WHERE name GLOB 'ssl-*';"
);
db_protect_pop();
}else
if( strncmp("show",zCmd,nCmd)==0 ){
const char *zName, *zValue;
size_t nName;
Stmt q;
int verbose = find_option("verbose","v",0)!=0;
verify_all_options();
fossil_print("OpenSSL-version: %s (0x%09x)\n",
SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER);
if( verbose ){
fossil_print("\n"
" The version of the OpenSSL library being used\n"
" by this instance of Fossil. Version 3.0.0 or\n"
" later is recommended.\n\n"
);
}
fossil_print("OpenSSL-cert-file: %s\n", X509_get_default_cert_file());
fossil_print("OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir());
if( verbose ){
fossil_print("\n"
" The default locations for the set of root certificates\n"
" used by the \"fossil sync\" and similar commands to verify\n"
" the identity of servers for \"https:\" URLs. These values\n"
" come into play when Fossil is used as a TLS client. These\n"
" values are built into your OpenSSL library.\n\n"
);
}
zName = X509_get_default_cert_file_env();
zValue = fossil_getenv(zName);
if( zValue==0 ) zValue = "";
nName = strlen(zName);
fossil_print("%s:%*s%s\n", zName, 18-nName, "", zValue);
zName = X509_get_default_cert_dir_env();
zValue = fossil_getenv(zName);
if( zValue==0 ) zValue = "";
nName = strlen(zName);
fossil_print("%s:%*s%s\n", zName, 18-nName, "", zValue);
if( verbose ){
fossil_print("\n"
" Alternative locations for the root certificates used by Fossil\n"
" when it is acting as a SSL client in order to verify the identity\n"
" of servers. If specified, these alternative locations override\n"
" the built-in locations.\n\n"
);
}
fossil_print("ssl-ca-location: %s\n", db_get("ssl-ca-location",""));
if( verbose ){
fossil_print("\n"
" This setting is the name of a file or directory that contains\n"
" the complete set of root certificates to used by Fossil when it\n"
" is acting as a SSL client. If defined, this setting takes\n"
" priority over built-in paths and environment variables\n\n"
);
}
fossil_print("ssl-identity: %s\n", db_get("ssl-identity",""));
if( verbose ){
fossil_print("\n"
" This setting is the name of a file that contains the PEM-format\n"
" certificate and private-key used by Fossil clients to authentice\n"
" with servers. Few servers actually require this, so this setting\n"
" is usually blank.\n\n"
);
}
zValue = db_get("ssl-cert",0);
if( zValue ){
fossil_print("ssl-cert: (%d-byte PEM)\n", (int)strlen(zValue));
}else{
fossil_print("ssl-cert:\n");
}
if( verbose ){
fossil_print("\n"
" This setting is the PEM-formatted value of the SSL server\n"
" certificate and private-key, used by Fossil when it is acting\n"
" as a server via the \"fossil server\" command or similar.\n\n"
);
}
fossil_print("ssl-cert-file: %s\n", db_get("ssl-cert-file",""));
fossil_print("ssl-key-file: %s\n", db_get("ssl-key-file",""));
if( verbose ){
fossil_print("\n"
" This settings are the names of files that contin the certificate\n"
" private-key used by Fossil when it is acting as a server.\n\n"
);
}
db_prepare(&q,
"SELECT name, '' FROM global_config"
" WHERE name GLOB 'cert:*'"
"UNION ALL "
"SELECT name, date(mtime,'unixepoch') FROM config"
" WHERE name GLOB 'cert:*'"
" ORDER BY name"
);
nHit = 0;
while( db_step(&q)==SQLITE_ROW ){
fossil_print("exception: %-40s %s\n",
db_column_text(&q,0)+5, db_column_text(&q,1));
nHit++;
}
db_finalize(&q);
if( nHit && verbose ){
fossil_print("\n"
" The exceptions are server certificates that the Fossil client\n"
" is unable to verify using root certificates, but which should be\n"
" accepted anyhow.\n\n"
);
}
}else
if( strncmp("remove-exception",zCmd,nCmd)==0 ){
int i;
Blob sql;
char *zSep = "(";
db_begin_transaction();
blob_init(&sql, 0, 0);
|
| ︙ | ︙ | |||
946 947 948 949 950 951 952 |
db_exec_sql(blob_str(&sql));
db_protect_pop();
db_commit_transaction();
blob_reset(&sql);
}else
/*default*/{
fossil_fatal("unknown sub-command \"%s\".\nshould be one of:"
| | | 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 |
db_exec_sql(blob_str(&sql));
db_protect_pop();
db_commit_transaction();
blob_reset(&sql);
}else
/*default*/{
fossil_fatal("unknown sub-command \"%s\".\nshould be one of:"
" load-certs remove-exception scrub show",
zCmd);
}
#endif
}
|
Changes to src/rebuild.c.
| ︙ | ︙ | |||
914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 |
if( privateOnly || bVerily ){
bNeedRebuild = db_exists("SELECT 1 FROM private");
delete_private_content();
}
if( !privateOnly ){
db_unprotect(PROTECT_ALL);
db_multi_exec(
"UPDATE user SET pw='';"
"DELETE FROM config WHERE name IN"
"(WITH pattern(x) AS (VALUES"
" ('baseurl:*'),"
" ('cert:*'),"
" ('ckout:*'),"
" ('draft[1-9]-*'),"
" ('gitpush:*'),"
" ('http-auth:*'),"
" ('last-sync-*'),"
" ('link:*'),"
" ('login-group-*'),"
" ('peer-*'),"
" ('skin:*'),"
" ('subrepo:*'),"
" ('sync-*'),"
" ('syncfrom:*'),"
| > | > | 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 |
if( privateOnly || bVerily ){
bNeedRebuild = db_exists("SELECT 1 FROM private");
delete_private_content();
}
if( !privateOnly ){
db_unprotect(PROTECT_ALL);
db_multi_exec(
"PRAGMA secure_delete=ON;"
"UPDATE user SET pw='';"
"DELETE FROM config WHERE name IN"
"(WITH pattern(x) AS (VALUES"
" ('baseurl:*'),"
" ('cert:*'),"
" ('ckout:*'),"
" ('draft[1-9]-*'),"
" ('gitpush:*'),"
" ('http-auth:*'),"
" ('last-sync-*'),"
" ('link:*'),"
" ('login-group-*'),"
" ('peer-*'),"
" ('skin:*'),"
" ('subrepo:*'),"
" ('sync-*'),"
" ('syncfrom:*'),"
" ('syncwith:*'),"
" ('ssl-*')"
") SELECT name FROM config, pattern WHERE name GLOB x);"
);
if( bVerily ){
db_multi_exec(
"DELETE FROM concealed;\n"
"UPDATE rcvfrom SET ipaddr='unknown';\n"
"DROP TABLE IF EXISTS accesslog;\n"
|
| ︙ | ︙ |