[ https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348182#comment-15348182 ]
Michael Osipov edited comment on SERF-179 at 6/24/16 12:14 PM: --------------------------------------------------------------- Bert, this would be effective if this compile flag is not overridden by the user by some means. At least on FreeBSD serf is compiled without that but {{ca_root_nss}} is available. This is bad user experience. One should have to configure as little as possible. I have noticed this when we lately refreshed our server certificate. E.g., curl works out of the box on our FreeBSD and RHEL machines because at compile-time the default CA bundle is passed. This option is solely interesting for OS/distro maintainers and admins. Not really users, they still can stick to the higher level conf and override it. was (Author: michael-o): Bert, this would be effective if this option is not overridden by the user by some means. At least on FreeBSD serf is compiled without that but {{ca_root_nss}} is available. This is bad user experience. One should have to configure as little as possible. I have noticed this when we lately refreshed our server certificate. E.g., curl works out of the box on our FreeBSD and RHEL machines because at compile-time the default CA bundle is passed. This option is solely interesting for OS/distro maintainers and admins. Not really users, they still can stick to the higher level conf and override it. > Add CAFILE, CAPATH, CAFALLBACK as compile time option > ----------------------------------------------------- > > Key: SERF-179 > URL: https://issues.apache.org/jira/browse/SERF-179 > Project: serf > Issue Type: Improvement > Affects Versions: serf-1.3.8 > Reporter: Michael Osipov > > Currently, libserf does not provide an option to supply a PEM bundle with > CAs. Subversion always nags whether the target host can be trusted. This is > annoying and can be automated. > Add three options supported by OpenSSL natively: > * {{scons CAFILE=/path/to/ca.pem}} > * {{scons CAPATH=/path/to/directory-with-pems}} > * {{scons CAFALLBACK=yes}} > Three defines can be added then: {{SERF_CA_BUNDLE}}, {{SERF_CA_PATH}} and > {{SERF_CA_FALLBACK}}. This can be safely fed into > {{SSL_CTX_load_verify_locations(3)}} and > {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL > reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html]. > This idea has freely been taken from {{libcurl}} which does this exactly. > * [bundle and path m4 > macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719] > * [Source code > spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009] -- This message was sent by Atlassian JIRA (v6.3.4#6332)