Fossil

Check-in [b261c4a3]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Cosmetic: Removed some tabbed indentation.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | jan-clientcert
Files: files | file ages | folders
SHA1:b261c4a33b62092284f65752eace50263cc48ff5
User & Date: jan 2011-03-29 15:06:41
Context
2011-03-29
19:28
Merge from trunk. check-in: 2ac7b3e1 user: jan tags: jan-clientcert
15:06
Cosmetic: Removed some tabbed indentation. check-in: b261c4a3 user: jan tags: jan-clientcert
14:12
Add support for feeding OpenSSL a CA certificate file/path for proper chain verification. This is one of several possible solutions to ticket [727af73f46]. Also cache the CA certificate file/path, client certificate/key file/path references in the global config (similar to how the server certificates are cached), and attempt to use them if the corresponding environment variables have not been set. Prefixed a function with ssl_ to conform to existing naming conventions. check-in: b28995cc user: jan tags: jan-clientcert
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/http_ssl.c.

312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
...
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385

  if( cafile || capath ){
     /* The OpenSSL documentation warns that if several CA certificates match
      * the same name, key identifier and serial number conditions, only the
      * first will be examined. The caveat situation is when one stores an
      * expired CA certificate among the valid ones.
      * Simply put: Do not mix expired and valid certificates.
		*/
	  if( SSL_CTX_load_verify_locations(sslCtx, cafile, capath) == 0){
		  fossil_fatal("SSL: Unable to load CA verification file/path");
	  }
  }else{
    fossil_warning("SSL: CA file/path missing for certificate verification.");
  }

  certfile = ssl_get_and_set_file_ref("FOSSIL_CCERT", "ccert");
  if( !certfile ){
	  free(capath);
	  free(cafile);
	  return;
  }

  keyfile = ssl_get_and_set_file_ref("FOSSIL_CKEY", "ckey");

  /* Assume the key is in the certificate file if key file was not specified */
  if( certfile && !keyfile )
    keyfile = certfile;
................................................................................
  char *zTmp;

  zTmp = mprintf("%s:%s", dbvar, g.urlName);

  zVar = getenv(envvar);
  if( zVar ){
    zVar = strdup(zVar);
	 if( zVar == NULL ){
      fossil_fatal("Unable to allocate memory for %s value.", envvar);
	 }
    db_set(zTmp, zVar, 1);
  }else{
    zVar = db_get(zTmp, NULL);
  }
  free(zTmp);

  return zVar;
}

#endif /* FOSSIL_ENABLE_SSL */







|
|
|
|






|
|
|







 







|

|










312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
...
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385

  if( cafile || capath ){
     /* The OpenSSL documentation warns that if several CA certificates match
      * the same name, key identifier and serial number conditions, only the
      * first will be examined. The caveat situation is when one stores an
      * expired CA certificate among the valid ones.
      * Simply put: Do not mix expired and valid certificates.
      */
    if( SSL_CTX_load_verify_locations(sslCtx, cafile, capath) == 0){
      fossil_fatal("SSL: Unable to load CA verification file/path");
    }
  }else{
    fossil_warning("SSL: CA file/path missing for certificate verification.");
  }

  certfile = ssl_get_and_set_file_ref("FOSSIL_CCERT", "ccert");
  if( !certfile ){
     free(capath);
     free(cafile);
     return;
  }

  keyfile = ssl_get_and_set_file_ref("FOSSIL_CKEY", "ckey");

  /* Assume the key is in the certificate file if key file was not specified */
  if( certfile && !keyfile )
    keyfile = certfile;
................................................................................
  char *zTmp;

  zTmp = mprintf("%s:%s", dbvar, g.urlName);

  zVar = getenv(envvar);
  if( zVar ){
    zVar = strdup(zVar);
    if( zVar == NULL ){
      fossil_fatal("Unable to allocate memory for %s value.", envvar);
    }
    db_set(zTmp, zVar, 1);
  }else{
    zVar = db_get(zTmp, NULL);
  }
  free(zTmp);

  return zVar;
}

#endif /* FOSSIL_ENABLE_SSL */