Re: [fossil-users] Fossil HTTPS Support
If it gets added to trunk, could the binding to libcrypto and libopenssl please be optional? I mean rather than compiling with a dependency on those libs, add code to dynamically load these libraries and disable https: support if they cannot be found. Those libraries are available standard on linux boxes, but not on windows. Not sure about FreeBSD OS X. The mingw dll's are about 1 MB in size if I remember well. Also, older posix systems may not have the right version available. An alternative would be to consider something like the cyassl library, a 150K binary, which could be made a co-build, next to Fossil. How would SSL support work in the case where fossil is hosted at a cheapo ISP and the cgi setup is used to serve requests? Paul From: fossil-users-boun...@lists.fossil-scm.org on behalf of Ron Aaron Sent: Tue 1/12/2010 7:12 AM To: fossil-users@lists.fossil-scm.org Subject: Re: [fossil-users] Fossil HTTPS Support On Tuesday 12 January 2010 08:09:21 George King wrote: Hi list, Given the recent security discussion, I would like to inquire about the current state of HTTPS support Unless there are compelling reasons not to, could these additions be merged into trunk? I would also like this. No need for it to be a default -- if the repo address begins 'https', then use that ... otherwise, don't. -- Sending me something private? Use my GPG public key: AD29415D ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil HTTPS Support
I'd also like to switch to https. I don't understand dependencies, etc very much. Does anyone have recipe to build it with https support on Windows? - Altu -Original Message- From: p...@planet.nl To: fossil-users@lists.fossil-scm.org Sent: Tue, Jan 12, 2010 5:28 pm Subject: Re: [fossil-users] Fossil HTTPS Support If it gets added to trunk, could the binding to libcrypto and libopenssl please be optional? I mean rather than compiling with a dependency on those libs, add code to dynamically load these libraries and disable https: support if they cannot be found. Those libraries are available standard on linux boxes, but not on windows. Not sure about FreeBSD OS X. The mingw dll's are about 1 MB in size if I remember well. Also, older posix systems may not have the right version available. An alternative would be to consider something like the cyassl library, a 150K binary, which could be made a co-build, next to Fossil. How would SSL support work in the case where fossil is hosted at a cheapo ISP and the cgi setup is used to serve requests? Paul From: fossil-users-boun...@lists.fossil-scm.org on behalf of Ron Aaron Sent: Tue 1/12/2010 7:12 AM To: fossil-users@lists.fossil-scm.org Subject: Re: [fossil-users] Fossil HTTPS Support On Tuesday 12 January 2010 08:09:21 George King wrote: Hi list, Given the recent security discussion, I would like to inquire about the current state of HTTPS support Unless there are compelling reasons not to, could these additions be merged into trunk? I would also like this. No need for it to be a default -- if the repo address begins 'https', then use that ... otherwise, don't. -- Sending me something private? Use my GPG public key: AD29415D ___fossil-users mailing listfossil-us...@lists.fossil-scm.orghttp://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation
Hi Dmitry, I built fossil with https support on Linux but it keeps asking me about the certificate even if I accept with 'a' (always). I tried merging trunk to ssl branch to see if it resolves the problem but it persists. If I keep saying 'a' to certificate prompts, I can clone successfully. But then if I sync, it again prompts me and then prints the REPLACE INTO statement in console, followed by a message to run fossil all rebuild, which also does not help. Please help. This is how I built it: fossil open fossil.fsl ssl vi Makefile (to enable FOSSIL_ENABLE_SSL=1) make This is fossil version [d92945e5da] 2009-11-09 21:22:32 UTC - Altu -Original Message- From: Dmitry Chestnykh dch...@gmail.com To: fossil-users@lists.fossil-scm.org Sent: Thu, Nov 5, 2009 7:07 am Subject: Re: [fossil-users] HTTPS implementation Okay, here's how I currently implemented it.Everything SSL is in http_ssl.c, which has a similar interface to http_socket.c, and http_transport.c calls these functions.When a user connects to https server, s/he's presented with Unknown SSL certificate prompt, which prints some values from certificate, for example:Unknown SSL certificate: countryName = RU stateOrProvinceName = Some-State organizationName = Coding Robots commonName= codingrobots.com emailAddress = x...@xxx.comissued By:...and asks him to decline, accept or always accept this certificate. (Usually, when using HTTPS, SSL certificates signed by trusted root CAs are automatically accepted, however this requires keeping a list of root certificates -- I ignored this for now -- all certificates are untrusted by default).If certificate is declined by the user, connection fails. If it's accepted, it continues.If user chooses to always accept a certificate, Fossil saves it to ~/.fossil database in global_config table with the following format:key=cert:hostnamevalue=PEM certificatewhere PEM certificate is a certificate saved in PEM (text) format:-BEGIN CERTIFICATE-...-END CERTIFICATE-The next time user connects to this hostname, Fossil looks up the certificate in global_config for the hostname and adds its to the trusted certificates list, so that user won't get prompted to accept it again.That's it. It works for me on Mac OS X. Though I haven't yet checked if it actually encrypts anything, but it should :-) (Need a working traffic sniffer...).Feel free to try to compile and test it: http://codingrobots.org/p/fossilPS Also, everything is under #isdef FOSSIL_ENABLE_SSL (which is currently defined in config.h). I'm not good in Makefiles and stuff, so I'm not sure how the actual configuration should be done.--Dmitry ChestnykhCoding Robotshttp://www.codingrobots.comdmi...@codingrobots.com___fossil-users mailing listfossil-us...@lists.fossil-scm.orghttp://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users