Hi All, With the patch from ticket <http://www.fossil-scm.org/index.html/info/45f89e504b>, bare SSL syncing now works properly with self-signed certificates. However, Fossil doesn't load the system certificate store on Centos/linux (and probably other *nix type platforms as well). Which means that if you present a certificate signed by an external party (CAcert or Verisign, for example), fossil will fail the verification with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY which normally means that the list of trusted certificates is not complete [1].
There are few solutions to this problem. First, we could load the system certificate store. Though, that's not as simple as it sounds, since, there is no standardized location across *nix distributions for the system store. After just a quick survey, Centos stores them at /etc/pki/tls/cert.pem, Debian stores them as a bundle in /etc/ssl/certs/ca-certificates.crt (and that's generated from single files under /usr/share/ca-certificates), FreeBSD stores them at /usr/local/share/certs/ca-root-nss.crt, Arch appears to store them in the same way as Debian, OpenSolaris doesn't even include any by default. You get the idea. The second solution is to prompt, or otherwise encourage the user to manually specify the path to the certificate chain. This has the advantage of maximum control, but may be a little "frightening" to new/less savvy users. Probably the best solution is do some runtime detection and allow the user to override if the auto detection doesn't work quite right. It's probably even worthwhile to allow the user to manually load (via a new command? web ui?) certificates into the global fossil configuration for those situations where they don't have the ability to modify the system certificate store and/or don't want maintain their own certificate bundle. I've attached a patch which does some simple detection of system certificate stores. I've tested it on OS X (10.6), Centos 5.3, Debian 5.0, and FreeBSD 7.2. I need someone to test on Windows since my Windows VM is broken at the moment. On OS X, we don't actually need to load the system or login stores since they appear to have patched openssl to do that for us. [1] See manpage verify(1) from the openssl distribution.
detect-platform-certs.patch
Description: Binary data
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users