Ticket Change Details
Not logged in
HomeTimelineBranchesTagsTicketsWikiLogin
History Page Plaintext Raw Timeline
Overview

Artifact ID: 475dfeb1d89c37748f042cb8b31311d6d25e81d2
Ticket: 727af73f467a64be0d0bbbcf46c513062a9e4704
ssl: on "pull -R repo", gets ssl certificate again, asks to accept a/y/N
User & Date: jan 2011-03-29 12:47:24
Changes

  1. Appended to comment: 
    

<hr /><i>jan added on 2011-03-29 12:47:24 UTC:</i><br />
Since I'm anyways working with the PKI stuff, I thought I'd search for some related tickets, and I found this one.

As wfreeman pointed out, SSL is returning X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY which means exactly what it says. 

Slightly simplified:
In a PKI trust model environment you have a central authority which you trust to sign certificate sign requests for client and server certificates. The problem here is that even if the server side can verify the authenticity of the relevant certificates, OpenSSL is paranoid enough (read: has the common sense) to want to validate the certificates against the CA certificate on the client side as well. But since fossil currently doesn't actually load the CA certificate into the SSL context, thus not making them accessible for the verification procedure, it won't succeed. The error says exactly that: "I found an issuer in a (server) certificate, but I can not locate the issuer's certificate (CA) on this local system (for verifying the authenticity of the server certificate)". 

Though note that it's up to the application to choose whether to care about verification problems or not, SSL doesn't care other than flagging the problem, so fossil isn't technically doing anything wrong by simply marching on like nothing happened.


There are two obvious solutions to this ticket:
  #  Configuring verify mode or verify depth to 0 (it won't care about verifying against the CA). See SSL_CTX_set_verify(3) for more information.
  #  Add support for adding the CA certificate(s) to the SSL context on the client side.

As a direct result of my work on supporting client certificates, I'm working on point 2.

For those who are interested (and only have a single-level CA), there's a one-line patch for point 2 if you don't mind a hard-coded temporary solution. Somewhere early (like after the call to ssl_global_init() in ssl_open()), add:

SSL_CTX_load_verify_locations(sslCtx, "/etc/ssl/public/ca.crt", NULL);

Adjust the cafile path, and make sure it's in the PEM format.
Fossil version [4df919803b] 2020-05-25 23:23:49