[jira] [Commented] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

Fri, 24 Jun 2016 02:45:45 -0700 

    [ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348073#comment-15348073
 ] 

Bert Huijben commented on SERF-179:
-----------------------------------

I don't think we should require recompiling to change settings like these. We 
already have apis for changing these so applications can expose these options 
in their config file. We also have a function to enable loading the OpenSSL (or 
other SSL implementation if you choose) default CA settings.

Applications like Subversion already use these features. 

And at least FreeBSD and Ubuntu (including Ubuntu on Windows) configure 
Subversion that I don't have to accept servers manually using their managed 
lists using the current support.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
>                 Key: SERF-179
>                 URL: https://issues.apache.org/jira/browse/SERF-179
>             Project: serf
>          Issue Type: Improvement
>    Affects Versions: serf-1.3.8
>            Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to