Artifact [475dfeb1d8]
Not logged in
HomeTimelineBranchesTagsTicketsWikiLogin
Download Hex Parsed

Artifact 475dfeb1d89c37748f042cb8b31311d6d25e81d2:

Ticket change [475dfeb1d8] - Ticket [727af73f46] ssl: on "pull -R repo", gets ssl certificate again, asks to accept a/y/N status still Open with 1 other change by jan 2011-03-29 12:47:24. 
D 2011-03-29T12:47:24.211
J +comment \n\n<hr\s/><i>jan\sadded\son\s2011-03-29\s12:47:24\sUTC:</i><br\s/>\nSince\sI'm\sanyways\sworking\swith\sthe\sPKI\sstuff,\sI\sthought\sI'd\ssearch\sfor\ssome\srelated\stickets,\sand\sI\sfound\sthis\sone.\r\n\r\nAs\swfreeman\spointed\sout,\sSSL\sis\sreturning\sX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\swhich\smeans\sexactly\swhat\sit\ssays.\s\r\n\r\nSlightly\ssimplified:\r\nIn\sa\sPKI\strust\smodel\senvironment\syou\shave\sa\scentral\sauthority\swhich\syou\strust\sto\ssign\scertificate\ssign\srequests\sfor\sclient\sand\sserver\scertificates.\sThe\sproblem\shere\sis\sthat\seven\sif\sthe\sserver\sside\scan\sverify\sthe\sauthenticity\sof\sthe\srelevant\scertificates,\sOpenSSL\sis\sparanoid\senough\s(read:\shas\sthe\scommon\ssense)\sto\swant\sto\svalidate\sthe\scertificates\sagainst\sthe\sCA\scertificate\son\sthe\sclient\sside\sas\swell.\sBut\ssince\sfossil\scurrently\sdoesn't\sactually\sload\sthe\sCA\scertificate\sinto\sthe\sSSL\scontext,\sthus\snot\smaking\sthem\saccessible\sfor\sthe\sverification\sprocedure,\sit\swon't\ssucceed.\sThe\serror\ssays\sexactly\sthat:\s"I\sfound\san\sissuer\sin\sa\s(server)\scertificate,\sbut\sI\scan\snot\slocate\sthe\sissuer's\scertificate\s(CA)\son\sthis\slocal\ssystem\s(for\sverifying\sthe\sauthenticity\sof\sthe\sserver\scertificate)".\s\r\n\r\nThough\snote\sthat\sit's\sup\sto\sthe\sapplication\sto\schoose\swhether\sto\scare\sabout\sverification\sproblems\sor\snot,\sSSL\sdoesn't\scare\sother\sthan\sflagging\sthe\sproblem,\sso\sfossil\sisn't\stechnically\sdoing\sanything\swrong\sby\ssimply\smarching\son\slike\snothing\shappened.\r\n\r\n\r\nThere\sare\stwo\sobvious\ssolutions\sto\sthis\sticket:\r\n\s\s#\s\sConfiguring\sverify\smode\sor\sverify\sdepth\sto\s0\s(it\swon't\scare\sabout\sverifying\sagainst\sthe\sCA).\sSee\sSSL_CTX_set_verify(3)\sfor\smore\sinformation.\r\n\s\s#\s\sAdd\ssupport\sfor\sadding\sthe\sCA\scertificate(s)\sto\sthe\sSSL\scontext\son\sthe\sclient\sside.\r\n\r\nAs\sa\sdirect\sresult\sof\smy\swork\son\ssupporting\sclient\scertificates,\sI'm\sworking\son\spoint\s2.\r\n\r\nFor\sthose\swho\sare\sinterested\s(and\sonly\shave\sa\ssingle-level\sCA),\sthere's\sa\sone-line\spatch\sfor\spoint\s2\sif\syou\sdon't\smind\sa\shard-coded\stemporary\ssolution.\sSomewhere\searly\s(like\safter\sthe\scall\sto\sssl_global_init()\sin\sssl_open()),\sadd:\r\n\r\nSSL_CTX_load_verify_locations(sslCtx,\s"/etc/ssl/public/ca.crt",\sNULL);\r\n\r\nAdjust\sthe\scafile\spath,\sand\smake\ssure\sit's\sin\sthe\sPEM\sformat.
K 727af73f467a64be0d0bbbcf46c513062a9e4704
U jan
Z 3f3f23e6430441b0bd563119cdaec6c7
Fossil version [4df919803b] 2020-05-25 23:23:49