On 16/08/15 19:56, Saul Hazledine wrote: > Hello, > I have been using a self-signed certificate on my Fossil server for > the last year and it just expired. I have replaced the expired > self-signed certificate with a new/different self-signed certificate.
I assume you aren't using client certificates; but I'll ask anyway: Are you using client-certificates to achieve mutual authentication, or is it a server-only certificate? > However, two scary things happened: > 1. The Fossil client kept on working with the old expired certificate. We could check for expired certificates on the client, but note that the important question is whether the server accepts expired certificates. (The client can be manipulated, so that check can't be trusted for access control). What are you using to serve the repository over SSL? stunnel? Apache? Other? It was a while back, but I have a vague memory of fossil complaining when my certificates expired; though I use mutual authentication -- and I'm not entirely sure I remember correctly. > 2. Fossil trusted the new certificate without any interaction from me. Did you point out the new CA certificate on the client? If you did, then you got the expected behavior; when you point out a CA certificate you're telling fossil that you trust it as an signatory for certificates (hence you trust the server/client certificates which it has signed). (This is in fact the whole point with X.509 PKI, and where it differs from structures like OpenPGP). If you didn't add the CA as a trusted CA in fossil, then it should have asked you to trust the server certificate. I'm not sure how the check is done; if it only compares name fields it's not good. Unfortunately I'll be a little busy the next few days, but send me a ping in a week or so if it still remains a mystery and I'll take a closer look. > Have I done something stupid or have I misunderstood what protection > Fossil provides when using self signed certificates? There's no technical difference between self-signed certificates and commercially signed certificates, so (in this regard) they should work the same. -- Kind Regards, Jan _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
