Hello, I've added support for supplying CA certificates and client certificates/keys to fossil on the jan-clientcert branch. This will allow fossil to be used against https servers which require full client/CA certificate chain verification.
Unfortunately, I've stepped off the path a little with regards to prior art: I'm using environment variables. The way it works is like this: $ FOSSIL_CAFILE=/etc/ssl/public/ca.crt FOSSIL_CCERT=~/.certs/mycompany.crt FOSSIL_CKEY=~/.certs/mycompany.key fossil clone https://repos.mycompany.com/secret/projectX x.fossil (FOSSIL_CAPATH is supported too) $ fossil sync -R x.fossil ..in other words: the variables are cached in the global configuration in a somewhat similar way to the server certificate (there's an url association, but it differs in that it only stores the references, rather than the actual certificates/keys). The reason I used environment variables was that I couldn't figure out a good interface for managing certificates/keys. Also I was slightly lazy, because I needed the feature fast. Suggestions on better (more fossil-like) solutions are welcome. Anyone affected by ticket 727af73f46 ("ssl: on "pull -R repo", gets ssl certificate again, asks to accept a/y/N", http://www.fossil-scm.org/index.html/info/727af73f46) but who doesn't use client certificates could try my branch and only supply FOSSIL_CAFILE or FOSSIL_CAPATH, and see if it stops asking about accepting the certificate. Please let me know about the results. Finally, a known limitation is that it doesn't support password protected client keys. This is on my ToDo-list. -- Kind regards, Jan Danielsson
signature.asc
Description: OpenPGP digital signature
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
