Re: [fossil-users] SSL support, prebuilt binaries, Windows
Thanks a lot, that fixed it. I've verified https support and it works; sniffed the traffic too, it is indeed all encrypted. There is one outstanding issue, which I'm about to write a separate email about, but that's more about how the SSL implementation handles certificates signed by a CA, rather than self-signed. Bjorn On 30 March 2010 18:54, Rene de Zwart renew...@xs4all.nl wrote: Op Di, 30 maart, 2010 17:52, schreef Bjorn Toft Madsen: I managed a successful build of fossil on Windows, through the kind help of other list members. The only outstanding issue is some undefined references when FOSSIL_ENABLE_SSL=1: change ifdef FOSSIL_ENABLE_SSL LIB += -lcrypto -lssl endif to ifdef FOSSIL_ENABLE_SSL LIB = -lssl -lcrypto -lgdi32 -lmingwex -lz -lws2_32 endif and it works (for me :-) -- Rene de Zwart ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] HTTPS implementation doesn't remember certificates signed by CAs
Through much help from list-members, I've finally managed to build a SSL-capable binary of fossil. On self-signed certificates the process is exactly as described by the original author (Dmitry, BCCed): Fossil displays certificate info before prompting to always accept, temporarily accept or reject the certificate. If always is chosen, the certificate is remembered in the global fossil DB (AppData/Local/_fossil on Windows, ~/.fossil on *nix I believe). Next time, fossil doesn't ask but silently accepts. On certificates signed by a CA, however, the always option doesn't stick, with symptoms as described in http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg01289.html. What happens is that, yes, the certificate is stored and retrieved in the global fossil DB, but the SSL_get_verify_result() call returns 19 (the certificate chain could be built up using the untrusted certificates but the root could not be found locally., from http://www.openssl.org/docs/apps/verify.html#item_19). Not knowing OpenSSL very well, I'm guessing this is because we never add the CA (and any intermediates) into the X509 store (X509_STORE_add_cert), but only the end client certificate. As a result, the verification process fails because it can't find the trusted CA/intermediate certificate in the X509 store. If that analysis is correct, I think there are two options for fixing the issue: 1) Accept X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN == 19 as a good result. At the minute the code requires X509_V_OK to connect without prompting the user. I do not know OpenSSL well enough to understand if X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN _only_ happens when the end-certificate is valid, but the CAs/IntermediateCAs aren't known. If that was indeed the case, accepting X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN seems valid enough to me. 2) Use SSL_get_peer_cert_chain rather than SSL_get_peer_certificate when retrieving the server certificate, then store all certificates into the global DB. Before connecting, add all certificates belonging to this server to the X509 store (calling X509_STORE_add_cert multiple times, in effect). I don't know of Dmitry is still active on this list, so I've taken the liberty to BCC him to hear his opinion on either option. I'm happy to have a whack at either option, but thought I should seek some advice before doing so. Thanks, Bjorn ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation doesn't remember certificates signed by CAs
Silly me, I forgot to mention that I've added a public fossil repo at https://www.toftmadsen.org/public.fossil The certificate has been signed by an intermediate, in turn signed by a root CA. Feel free to clone to verify this issue and/or any fix anybody may be contemplating. Thanks Bjorn On 31 March 2010 14:57, Bjorn Toft Madsen bj...@toftmadsen.org wrote: Through much help from list-members, I've finally managed to build a SSL-capable binary of fossil. On self-signed certificates the process is exactly as described by the original author (Dmitry, BCCed): Fossil displays certificate info before prompting to always accept, temporarily accept or reject the certificate. If always is chosen, the certificate is remembered in the global fossil DB (AppData/Local/_fossil on Windows, ~/.fossil on *nix I believe). Next time, fossil doesn't ask but silently accepts. On certificates signed by a CA, however, the always option doesn't stick, with symptoms as described in http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg01289.html. What happens is that, yes, the certificate is stored and retrieved in the global fossil DB, but the SSL_get_verify_result() call returns 19 (the certificate chain could be built up using the untrusted certificates but the root could not be found locally., from http://www.openssl.org/docs/apps/verify.html#item_19). Not knowing OpenSSL very well, I'm guessing this is because we never add the CA (and any intermediates) into the X509 store (X509_STORE_add_cert), but only the end client certificate. As a result, the verification process fails because it can't find the trusted CA/intermediate certificate in the X509 store. If that analysis is correct, I think there are two options for fixing the issue: 1) Accept X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN == 19 as a good result. At the minute the code requires X509_V_OK to connect without prompting the user. I do not know OpenSSL well enough to understand if X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN _only_ happens when the end-certificate is valid, but the CAs/IntermediateCAs aren't known. If that was indeed the case, accepting X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN seems valid enough to me. 2) Use SSL_get_peer_cert_chain rather than SSL_get_peer_certificate when retrieving the server certificate, then store all certificates into the global DB. Before connecting, add all certificates belonging to this server to the X509 store (calling X509_STORE_add_cert multiple times, in effect). I don't know of Dmitry is still active on this list, so I've taken the liberty to BCC him to hear his opinion on either option. I'm happy to have a whack at either option, but thought I should seek some advice before doing so. Thanks, Bjorn ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] SSL support, prebuilt binaries, Windows
I managed a successful build of fossil on Windows, through the kind help of other list members. The only outstanding issue is some undefined references when FOSSIL_ENABLE_SSL=1: ../../GnuWin32/lib/libcrypto.a(rand_win.o):rand_win.c:(.text+0xa3a): undefined reference to `_getdevicec...@8 # more GDI32 unresolved externals ../../GnuWin32/lib/libssl.a(ssl_cert.o):ssl_cert.c:(.text+0x76d): undefined reference to `_X509_STORE_CTX_init' # more internal openssl unresolved externals I would have thought the first class of unresolved could be sorted by modifying Makefile.w32 so it holds: LIB = -lmingwex -lz -lws2_32 -lgdi32 But it doesn't seem gdi32 holds the GDI functions the linker is looking for. Anyone else seeing this problem when building with SSL on Windows? Thanks for any help and advice you can provide, Bjorn On 29 March 2010 22:22, Ross Berteig r...@cheshireeng.com wrote: At 04:05 AM 3/29/2010, Bjorn Toft Madsen wrote: Be that as it may, is there anybody on this list who has successfully built fossil w/ssl on Windows? Not with SSL as yet, but I could try it. Taking a binary off you (the hypothetical Win builder) or not, I'd love to pick your brain on your environment so I can build myself. My Windows awk doesn't do what I think the makefile expects it to do and I've got other errors that make me believe the standard DOS shell isn't enough to build my own binary. I have both MingW and MSYS installed, along with the GnuWin32 build of Gnu make. (Not to mention a lot of the rest of the GnuWin32 packages, but I don't think they enter into this question, aside from zlib.) I cloned the repository from fossil-scm.org in the usual way, then opened it into a working folder. I created a sub-folder for my windows build, an in there I created a config.w32 file containing two customizations for my environment: SRCDIR = ../src TCC += -I/e/Programs/GnuWin32/include -L/e/Programs/GnuWin32/lib The SRCDIR is required to point to the actual fossil source tree, since I'm building in a separate folder. The second is required to add references for the include and library files for zlib as distributed by GnuWin32. I'd guess that if I were to configure SSL, I'd use the GnuWin32 build of the library, and that this setting would cover that as well. Note that I was careful to install all GnuWin32 packages into a folder with no spaces anywhere in its full name. That makes it a lot easier to deal with for this kind of thing. That folder happens to be on E: due to a quirk of my XP install that resulted in there being no drive C:, but your mileage almost certainly will differ. From MSYS bash (running in a normal console window, not rxvt) I change the current directory into my windows build folder, then use make -f ../Makefile.w32 to build. Once I located the zlib package, it built on the first try. Even with all of the GnuWin32 core *nix utilities installed, I wouldn't expect the makefile to do the right thing with CMD.EXE as the shell, especially with its use of awk to write VERSION.h from the manifest of the current checkin which suffers badly from the difficulty of correctly quoting command line arguments in CMD.EXE. It is remotely possible that you can teach make to use MSYS bash as its shell, but then you'd have to get the paths translated correctly. All in all, it is much easier to just use the MSYS environment for building. Ross Berteig r...@cheshireeng.com Cheshire Engineering Corp. http://www.CheshireEng.com/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] SSL support, prebuilt binaries, Windows
On 25 March 2010 16:49, D. Richard Hipp d...@hwaci.com wrote: On Mar 25, 2010, at 12:41 PM, Bjorn Toft Madsen wrote: Hi all, New to Fossil, loving it. Looking through the mailing list archive, I can see SSL support was added by Dmitry Chestnykh and it was pushed into a branch in 2009 and then the ssl branch was closed in February. Where did it go from there? I got the pre-built binaries for Windows, but they say compiled without ssl support and I can't find a link to Windows binaries with SSL support. Are these binaries available somewhere or are my only options: - Drop https on my central depot, which I'd hate - Building fossil myself (MinGW and GnuWin32, I presume) with SSL support. Had a stab at this, but it wasn't exactly a one line operation (even with the BUILD instructions for Windows). First the ./file.extension format wasn't totally appreciated by my noob dos shell, then makeheaders didn't quite make any headers, so figured I try the mailing list for advice. Would appreciate any information you can provide about https/ssl on Windows. I've never tried to build SSL support on windows either. Maybe somebody else on the mailing list can send you a binary? Man, that sounds like a malware invite :) Be that as it may, is there anybody on this list who has successfully built fossil w/ssl on Windows? Taking a binary off you (the hypothetical Win builder) or not, I'd love to pick your brain on your environment so I can build myself. My Windows awk doesn't do what I think the makefile expects it to do and I've got other errors that make me believe the standard DOS shell isn't enough to build my own binary. Thanks, Bjorn BTW: Apologies if you've got two versions of this email. I sent this yesterday, but it never got sent to the list and I can see the later Vendor branches? reply has been added to the archive and figured my mail got lost somehow. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users D. Richard Hipp d...@hwaci.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
[fossil-users] SSL support, prebuilt binaries, Windows
Title: SSL support, prebuilt binaries, Windows Hi all, New to Fossil, loving it. Looking through the mailing list archive, I can see SSL support was added by Dmitry Chestnykh and it was pushed into a branch in 2009 and then the ssl branch was closed in February. Where did it go from there? I got the pre-built binaries for Windows, but they say "compiled without ssl support" and I can't find a link to Windows binaries with SSL support. Are these binaries available somewhere or are my only options: - Drop https on my central depot, which I'd hate - Building fossil myself (MinGW and GnuWin32, I presume) with SSL support. Had a stab at this, but it wasn't exactly a one line operation (even with the BUILD instructions for Windows). First the ./file.extension format wasn't totally appreciated by my noob dos shell, then makeheaders didn't quite make any headers, so figured I try the mailing list for advice. Would appreciate any information you can provide about https/ssl on Windows. Thanks, Bjorn BTW: Apologies if you've got two versions of this email. I sent this yesterday, but it never got sent to the list and I can see the later "Vendor branches?" reply has been added to the archive and figured my mail got lost somehow. smime.p7s Description: S/MIME Cryptographic Signature ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
