Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Expanded on the "Certificates" section of www/ssl.wiki to fill in some details. The key improvement is making the first line of the OpenSSL error when the CA trust store isn't set up searchable. As it was, you pretty much had to know the solution already in order to seek out this documentation! |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
b3c0c07c0703a21cf363d7481a33fa90 |
| User & Date: | wyoung 2020-04-26 03:58:27.676 |
Context
|
2020-04-26
| ||
| 15:39 | Add the "test-ssl-trust-store" command for testing and diagnostics. ... (check-in: 67147dd6be user: drh tags: trunk) | |
| 03:58 | Expanded on the "Certificates" section of www/ssl.wiki to fill in some details. The key improvement is making the first line of the OpenSSL error when the CA trust store isn't set up searchable. As it was, you pretty much had to know the solution already in order to seek out this documentation! ... (check-in: b3c0c07c07 user: wyoung tags: trunk) | |
|
2020-04-24
| ||
| 05:21 | Add the ability to restrict subscriptions to specific email domains selected by GLOB patterns, and to require email verification before self-registration becomes effective. ... (check-in: c00e9123cb user: drh tags: trunk) | |
Changes
Changes to www/ssl.wiki.
| ︙ | ︙ | |||
102 103 104 105 106 107 108 | Beware, taking this path typically opens you up to new problems, which are conveniently covered in the next section! <h3 id="certs">Certificates</h3> To verify the identify of a server, TLS uses | | > > > > > > > | > | | < | > | < > > > > | | > > | | | | 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 |
Beware, taking this path typically opens you up to new problems, which
are conveniently covered in the next section!
<h3 id="certs">Certificates</h3>
To verify the identify of a server, TLS uses
[https://en.wikipedia.org/wiki/X.509#Certificates|X.509 certificates], a
scheme that depends on a trust hierarchy of so-called
[https://en.wikipedia.org/wiki/Certificate_authority | Certificate
Authorities]. The tree of trust relationships ultimately ends in the
CA roots, which are considered the ultimate arbiters of who to trust in
this scheme.
The question then is, what CA roots does Fossil trust?
If you are using a self-signed certificate, Fossil will initially not
know that it can trust your certificate, so you'll be asked if you want
to accept the certificate the first time you communicate with the
server. Verify the certificate fingerprint is correct, then answer
"always" if you want Fossil to remember your decision.
If you are cloning from or syncing to Fossil servers that use a
certificate signed by a well-known CA or one of its delegates, Fossil
still has to know which CA roots to trust. When this fails, you get a
big long error message that starts with this text:
<pre>
SSL verification failed: unable to get local issuer certificate
</pre>
Fossil relies on the OpenSSL library to have some way to check a trusted
list of CA signing keys. There are two common ways this fails:
# <p>The OpenSSL library Fossil is linked to doesn't have a CA
signing key set at all, so that it initially trusts no certificates
at all.</p>
# <p>The OpenSSL library does have a CA cert set, but your Fossil server's
TLS certificate was signed by a CA that isn't in that set.</p>
A common reason to fall into the second trap is that you're using
certificates signed by a local private CA, as often happens in large
enterprises. You can solve this sort of problem by getting your local
CA's signing certificate in PEM format and pointing OpenSSL at it:
<pre>
fossil set --global ssl-ca-location /path/to/local-ca.pem
</pre>
The use of <tt>--global</tt> with this option is common, since you may
have multiple reposotories served under certificates signed by that same
CA. However, if you have a mix of publicly-signed and locally-signed
certificates, you might want to drop the <tt>--global</tt> flag and set
this option on a per-repository basis instead.
A common way to run into the broader first problem is that you're on
FreeBSD, which does not install a CA certificate set by default, even as
a dependency of the OpenSSL library. If you're using a certificate
signed by one of the major public CAs, you can solve this by installing
the <tt>ca_root_nss</tt> package. That package contains the Mozilla NSS
certificate bundle, which gets installed in a location that OpenSSL
checks by default, so you don't need to change any Fossil settings.
(This is the same certificate set that ships with Firefox, by the way.)
The same sort of thing happens with the Windows build of OpenSSL, but
for a different core reason: Windows does ship with a stock CA
certificate set, but it's not in a format that OpenSSL understands how
to use. Rather than try to find a way to convert the data format, you
may find it acceptable to use the same Mozilla NSS cert set. I do not
know of a way to easily get this from Mozilla themselves, but I did find
a [https://curl.haxx.se/docs/caextract.html|third party source] for the
<tt>cacert.pem</tt> file. I suggest placing the file into your Windows
user home directory so that you can then point Fossil at it like so:
<pre>
fossil set --global ssl-ca-location %userprofile%\cacert.pem
</pre>
This can also happen if you've linked Fossil to a version of OpenSSL
[#openssl-src|built from source]. That same <tt>cacert.pem</tt> fix can
work in that case, too.
When you build Fossil on Linux platforms against the binary OpenSSL
|
| ︙ | ︙ |