<hr /><i>anonymous claiming to be Earl added on 2011-06-19 19:05:55 UTC:</i><br />
Another quick fix:

As an alternative to hard coding the certificate location, I added the following to ssl_global_init() in http_ssl.c

<code>
        char *cert_file;<br>
        cert_file = mprintf("%s.pem", g.zRepositoryName);<br>
        SSL_CTX_load_verify_locations(sslCtx, cert_file, NULL);<br>
        free(cert_file);
</code>

This makes OpenSSL look for a certificate file in the same directory as the fossil, named the same as the repository but with .pem added on. For example, when syncing myrepo.fossil, OpenSSL will use myrepo.fossil.pem if it exists. If not, the default locations (e.g. /usr/local/ssl/certs or even C:\usr\local\ssl\certs) are used. This makes it possible to have different certificates for different repositories.

The method works with clone as well as operations on established repositories. Of course, the .pem file should be present before you issue the clone command.

PEM files can contain more than one certificate, up to the trusted root CA. This is not the case for files in directories like /usr/local/ssl/certs, which can only have one certificate per file and need to be named using the openSSL c_rehash utility.

Thank you for developing Fossil. Looking forward to further SSL features.