Hello,
Thank you for the quick response. Sorry it took me so long to respond.
On 16/08/15 23:37, Jan Danielsson wrote:
I assume you aren't using client certificates; but I'll ask anyway:
Are you using client-certificates to achieve mutual authentication, or
is it a server-only certificate?
It is a server only certificate.
We could check for expired certificates on the client, but note that
the important question is whether the server accepts expired
certificates. (The client can be manipulated, so that check can't be
trusted for access control).
What are you using to serve the repository over SSL? stunnel?
Apache? Other?
Nginx with openssl. There is no option in the server config to use plain
http and users are redirected to https.
It was a while back, but I have a vague memory of fossil complaining
when my certificates expired; though I use mutual authentication -- and
I'm not entirely sure I remember correctly.
I am quite sure that fossil did not warn me - I accessed it from several
machines and only noticed the certificate had expired when I used a browser.
If you didn't add the CA as a trusted CA in fossil, then it should
have asked you to trust the server certificate. I'm not sure how the
check is done; if it only compares name fields it's not good.
Unfortunately I'll be a little busy the next few days, but send me a
ping in a week or so if it still remains a mystery and I'll take a
closer look.
Fossil definitely did not ask me to trust the new certificate - it is a
completely different certificate too.
Thank you for your offer of help.
Saul Hazledine
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
