Fossil

Check-in [513ea810]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Added very basic client certificate support for https.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | jan-clientcert
Files: files | file ages | folders
SHA1:513ea81005b9292c16b3896c339de12081f029a8
User & Date: jan 2011-03-25 18:20:19
Context
2011-03-29
14:12
Add support for feeding OpenSSL a CA certificate file/path for proper chain verification. This is one of several possible solutions to ticket [727af73f46]. Also cache the CA certificate file/path, client certificate/key file/path references in the global config (similar to how the server certificates are cached), and attempt to use them if the corresponding environment variables have not been set. Prefixed a function with ssl_ to conform to existing naming conventions. check-in: b28995cc user: jan tags: jan-clientcert
2011-03-25
18:20
Added very basic client certificate support for https. check-in: 513ea810 user: jan tags: jan-clientcert
2011-03-10
17:42
Show the name of the user that is doing the commit in the prompt section commit comment template. check-in: cdc42492 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/http_ssl.c.

129
130
131
132
133
134
135



136
137
138
139
140
141
142
...
283
284
285
286
287
288
289
290

































291
** Return the number of errors.
*/
int ssl_open(void){
  X509 *cert;
  int hasSavedCertificate = 0;
char *connStr ;
  ssl_global_init();




  /* Get certificate for current server from global config and
   * (if we have it in config) add it to certificate store.
   */
  cert = ssl_get_certificate();
  if ( cert!=NULL ){
    X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert);
................................................................................
    if( got<=0 ) break;
    total += got;
    N -= got;
    pContent = (void*)&((char*)pContent)[got];
  }
  return total;
}


































#endif /* FOSSIL_ENABLE_SSL */







>
>
>







 








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
...
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
** Return the number of errors.
*/
int ssl_open(void){
  X509 *cert;
  int hasSavedCertificate = 0;
char *connStr ;
  ssl_global_init();

  /* If client certificate/key has been set, load them into the SSL context. */
  load_client_authfiles();

  /* Get certificate for current server from global config and
   * (if we have it in config) add it to certificate store.
   */
  cert = ssl_get_certificate();
  if ( cert!=NULL ){
    X509_STORE_add_cert(SSL_CTX_get_cert_store(sslCtx), cert);
................................................................................
    if( got<=0 ) break;
    total += got;
    N -= got;
    pContent = (void*)&((char*)pContent)[got];
  }
  return total;
}

/*
** Read client certificate and key, if set, and store them in the SSL context
** to allow communication with servers which are configured to verify client
** certificates and certificate chains.
** We only support PEM and don't support password protected keys.
*/
void load_client_authfiles(void)
{
  const char *certfile;
  const char *keyfile;

  certfile = getenv("FOSSIL_CCERT");
  if( certfile == NULL )
	  return;

  keyfile = getenv("FOSSIL_CKEY");

  /* Assume the key is in the certificate file if key file was not specified */
  if( certfile && !keyfile )
    keyfile = certfile;

  if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM) <= 0 ){
    fossil_fatal("Unable to open client certificate in %s.", certfile);
  }
  if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM) <= 0 ){
    fossil_fatal("Unable to open client key in %s.", keyfile);
  }

  if( !SSL_CTX_check_private_key(sslCtx) ){
    fossil_fatal("Private key does not match the certificate public key.");
  }
}

#endif /* FOSSIL_ENABLE_SSL */