Ticket Change Details
Not logged in
Overview

Artifact ID: acbf22cde380d55ac2b6b2ed83a4ea9773023c3c
Ticket: 727af73f467a64be0d0bbbcf46c513062a9e4704
ssl: on "pull -R repo", gets ssl certificate again, asks to accept a/y/N
User & Date: anonymous 2011-06-19 19:05:55
Changes

  1. Appended to comment:
    
    
    <hr /><i>anonymous claiming to be Earl added on 2011-06-19 19:05:55 UTC:</i><br />
    Another quick fix:
    
    As an alternative to hard coding the certificate location, I added the following to ssl_global_init() in http_ssl.c
    
    <code>
            char *cert_file;<br>
            cert_file = mprintf("%s.pem", g.zRepositoryName);<br>
            SSL_CTX_load_verify_locations(sslCtx, cert_file, NULL);<br>
            free(cert_file);
    </code>
    
    This makes OpenSSL look for a certificate file in the same directory as the fossil, named the same as the repository but with .pem added on. For example, when syncing myrepo.fossil, OpenSSL will use myrepo.fossil.pem if it exists. If not, the default locations (e.g. /usr/local/ssl/certs or even C:\usr\local\ssl\certs) are used. This makes it possible to have different certificates for different repositories.
    
    The method works with clone as well as operations on established repositories. Of course, the .pem file should be present before you issue the clone command.
    
    PEM files can contain more than one certificate, up to the trusted root CA. This is not the case for files in directories like /usr/local/ssl/certs, which can only have one certificate per file and need to be named using the openSSL c_rehash utility.
    
    Thank you for developing Fossil. Looking forward to further SSL features.