Re: [fossil-users] HTTPS implementation doesn't remember certificates signed by CAs
Silly me, I forgot to mention that I've added a public fossil repo at https://www.toftmadsen.org/public.fossil The certificate has been signed by an intermediate, in turn signed by a root CA. Feel free to clone to verify this issue and/or any fix anybody may be contemplating. Thanks Bjorn On 31 March 2010 14:57, Bjorn Toft Madsen bj...@toftmadsen.org wrote: Through much help from list-members, I've finally managed to build a SSL-capable binary of fossil. On self-signed certificates the process is exactly as described by the original author (Dmitry, BCCed): Fossil displays certificate info before prompting to always accept, temporarily accept or reject the certificate. If always is chosen, the certificate is remembered in the global fossil DB (AppData/Local/_fossil on Windows, ~/.fossil on *nix I believe). Next time, fossil doesn't ask but silently accepts. On certificates signed by a CA, however, the always option doesn't stick, with symptoms as described in http://www.mail-archive.com/fossil-users@lists.fossil-scm.org/msg01289.html. What happens is that, yes, the certificate is stored and retrieved in the global fossil DB, but the SSL_get_verify_result() call returns 19 (the certificate chain could be built up using the untrusted certificates but the root could not be found locally., from http://www.openssl.org/docs/apps/verify.html#item_19). Not knowing OpenSSL very well, I'm guessing this is because we never add the CA (and any intermediates) into the X509 store (X509_STORE_add_cert), but only the end client certificate. As a result, the verification process fails because it can't find the trusted CA/intermediate certificate in the X509 store. If that analysis is correct, I think there are two options for fixing the issue: 1) Accept X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN == 19 as a good result. At the minute the code requires X509_V_OK to connect without prompting the user. I do not know OpenSSL well enough to understand if X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN _only_ happens when the end-certificate is valid, but the CAs/IntermediateCAs aren't known. If that was indeed the case, accepting X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN seems valid enough to me. 2) Use SSL_get_peer_cert_chain rather than SSL_get_peer_certificate when retrieving the server certificate, then store all certificates into the global DB. Before connecting, add all certificates belonging to this server to the X509 store (calling X509_STORE_add_cert multiple times, in effect). I don't know of Dmitry is still active on this list, so I've taken the liberty to BCC him to hear his opinion on either option. I'm happy to have a whack at either option, but thought I should seek some advice before doing so. Thanks, Bjorn ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation
Hi Dmitry, I built fossil with https support on Linux but it keeps asking me about the certificate even if I accept with 'a' (always). I tried merging trunk to ssl branch to see if it resolves the problem but it persists. If I keep saying 'a' to certificate prompts, I can clone successfully. But then if I sync, it again prompts me and then prints the REPLACE INTO statement in console, followed by a message to run fossil all rebuild, which also does not help. Please help. This is how I built it: fossil open fossil.fsl ssl vi Makefile (to enable FOSSIL_ENABLE_SSL=1) make This is fossil version [d92945e5da] 2009-11-09 21:22:32 UTC - Altu -Original Message- From: Dmitry Chestnykh dch...@gmail.com To: fossil-users@lists.fossil-scm.org Sent: Thu, Nov 5, 2009 7:07 am Subject: Re: [fossil-users] HTTPS implementation Okay, here's how I currently implemented it.Everything SSL is in http_ssl.c, which has a similar interface to http_socket.c, and http_transport.c calls these functions.When a user connects to https server, s/he's presented with Unknown SSL certificate prompt, which prints some values from certificate, for example:Unknown SSL certificate: countryName = RU stateOrProvinceName = Some-State organizationName = Coding Robots commonName= codingrobots.com emailAddress = x...@xxx.comissued By:...and asks him to decline, accept or always accept this certificate. (Usually, when using HTTPS, SSL certificates signed by trusted root CAs are automatically accepted, however this requires keeping a list of root certificates -- I ignored this for now -- all certificates are untrusted by default).If certificate is declined by the user, connection fails. If it's accepted, it continues.If user chooses to always accept a certificate, Fossil saves it to ~/.fossil database in global_config table with the following format:key=cert:hostnamevalue=PEM certificatewhere PEM certificate is a certificate saved in PEM (text) format:-BEGIN CERTIFICATE-...-END CERTIFICATE-The next time user connects to this hostname, Fossil looks up the certificate in global_config for the hostname and adds its to the trusted certificates list, so that user won't get prompted to accept it again.That's it. It works for me on Mac OS X. Though I haven't yet checked if it actually encrypts anything, but it should :-) (Need a working traffic sniffer...).Feel free to try to compile and test it: http://codingrobots.org/p/fossilPS Also, everything is under #isdef FOSSIL_ENABLE_SSL (which is currently defined in config.h). I'm not good in Makefiles and stuff, so I'm not sure how the actual configuration should be done.--Dmitry ChestnykhCoding Robotshttp://www.codingrobots.comdmi...@codingrobots.com___fossil-users mailing listfossil-us...@lists.fossil-scm.orghttp://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation (update)
Hello, I'm not sure if my previous email made it into the list (I don't see it in archive), so I'll post the same details about implementation plus something I changed recently. Here's an update on the current status of HTTPS implementation. First of all, I think it's ready :-) (I tested it on Ubuntu 9.10 and Mac OS X 10.6. Does anyone want to test it on Windows?). As OpenSSL may be not available on some platforms, and many people don't want external dependencies (other than zlib), I've made it disabled by default for now. If you want to compile Fossil with SSL support, use the following command: $ FOSSIL_ENABLE_SSL=1 make or edit Makefile and uncomment the line to always enable it. When you first connect to HTTPS server, Fossil will print description of certificate and ask you to accept, always accept or decline it (or it will automatically accept it if it's a proper certificate signed by certification authority, but only on Mac OS X -- see below). If you choose to always accept the certificate, Fossil will remember it in user configuration (~/.fossil). (global_config table, name=cert:hostname, value=certificate in PEM format). It will then automatically accept the same certificate for the same hostname. (If certificate changes, which is most likely to be a man-in-the-middle attack if you didn't change it, Fossil will issue a warning and ask to accept a new certificate -- this is how browsers behave). I choose not to include root CA certificates, because 1) it would require ~200 Kb of space, 2) root certificates must be compiled into fossil binary... imagine a 200 Kb string in .c file :-/ So, on most platforms you will be asked to accept certificate even if it was signed by CA (this is what browsers do for self-signed certificates). I don't think it's a problem. However, I learned that on Mac OS X OpenSSL integrates with Keychain, so for this platform certificates signed by CA will be accepted automatically. Changes to Fossil are: new file http_ssl.c (http://codingrobots.org/p/fossil/finfo?name=src/http_ssl.c), plus changes to http_transport.c, Makefile, makemake.tcl, main.mk. What is the consensus on including this into Fossil? Should I push changes into main repository? -- Dmitry Chestnykh Coding Robots http://www.codingrobots.com dmi...@codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation (update)
On Nov 9, 2009, at 10:16 AM, Dmitry Chestnykh wrote: What is the consensus on including this into Fossil? Should I push changes into main repository? I'd like to see you push the changes - at least into a branch. D. Richard Hipp d...@hwaci.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation (update)
I'd like to see you push the changes - at least into a branch. Done. It's in ssl branch. BTW, if anyone wants to try out SSL support feel free to clone any repository on https://codingrobots.org; for example, https://codingrobots.org/p/crdatabase. I can also setup some test repo with write access, if you need to try out push. Let me know. -- Dmitry Chestnykh Coding Robots http://www.codingrobots.com dmi...@codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation
Both DRH and I looked at the OpenSSL client-side code and decided it was going to be too much of a hassle to integrate. You mean, the requirement of libssl to be present on users' computers? -- Dmitry Chestnykh Coding Robots http://www.codingrobots.com dmi...@codingrobots.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation
On Nov 4, 2009, at 6:03 PM, Dmitry Chestnykh wrote: Both DRH and I looked at the OpenSSL client-side code and decided it was going to be too much of a hassle to integrate. You mean, the requirement of libssl to be present on users' computers? Not so much that as just getting libssl to work. I spend a couple of days messing with it and never could get it to do right. D. Richard Hipp d...@hwaci.com ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] HTTPS implementation
On Thu, Nov 5, 2009 at 12:18 AM, Steve Landers st...@digitalsmarties.comwrote: Although that requirement is also an issue. Any solution would ideally be statically linked on Windows (I'm assuming that won't be a problem on *nix). If i'm not mistaken, Solaris 10 (or as of a certain version of it) doesn't support static linking anymore, at least not with system libs (e.g. libc and libnls). i don't remember with certainty if that limitation applies only to system libs or generically, however. -- - stephan beal http://wanderinghorse.net/home/stephan/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users