[
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348182#comment-15348182
]
Michael Osipov edited comment on SERF-179 at 6/24/16 12:20 PM:
---------------------------------------------------------------
Bert, this would be effective if this compile flag is not overridden by the
user by some means. At least on FreeBSD serf is compiled without that but
{{ca_root_nss}} is available. This is bad user experience. One should have to
configure as little as possible. I have noticed this when we lately refreshed
our server certificate.
E.g., curl works out of the box on our FreeBSD and RHEL machines because at
compile-time the default CA bundle is passed.
This option is solely interesting for OS/distro maintainers and admins. Not
really users, they still can stick to the higher level conf and override it.
I also fail to see where one cann pass this option:
{noformat}
osipovmi@blnn719x:~/Projekte/serf/buckets$ fgrep -R SSL_CTX_ . | less
./ssl_buckets.c: ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method());
./ssl_buckets.c: SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3);
./ssl_buckets.c: SSL_CTX_set_mode(ssl_ctx->ctx,
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
./ssl_buckets.c: SSL_CTX_set_client_cert_cb(ssl_ctx->ctx,
ssl_need_client_cert);
./ssl_buckets.c: SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER,
./ssl_buckets.c: SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL);
./ssl_buckets.c: SSL_CTX_sess_set_new_cb(ssl_ctx->ctx, ssl_new_session);
./ssl_buckets.c: SSL_CTX_set_info_callback(ssl_ctx->ctx,
apps_ssl_info_callback);
./ssl_buckets.c: SSL_CTX_free(ssl_ctx->ctx);
./ssl_buckets.c: X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c: X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c: X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c: store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c: SSL_CTX_set_tlsext_status_cb(ssl_ctx->ctx, ocsp_callback);
./ssl_buckets.c: SSL_CTX_set_tlsext_status_arg(ssl_ctx->ctx, ssl_ctx);
./ssl_buckets.c: SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_COMPRESSION);
./ssl_buckets.c: SSL_CTX_set_info_callback(ssl_ctx->ctx,
detect_renegotiate);
{noformat}
was (Author: michael-o):
Bert, this would be effective if this compile flag is not overridden by the
user by some means. At least on FreeBSD serf is compiled without that but
{{ca_root_nss}} is available. This is bad user experience. One should have to
configure as little as possible. I have noticed this when we lately refreshed
our server certificate.
E.g., curl works out of the box on our FreeBSD and RHEL machines because at
compile-time the default CA bundle is passed.
This option is solely interesting for OS/distro maintainers and admins. Not
really users, they still can stick to the higher level conf and override it.
> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
> Issue Type: Improvement
> Affects Versions: serf-1.3.8
> Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with
> CAs. Subversion always nags whether the target host can be trusted. This is
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}}, {{SERF_CA_PATH}} and
> {{SERF_CA_FALLBACK}}. This can be safely fed into
> {{SSL_CTX_load_verify_locations(3)}} and
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
