| Ticket UUID: | f696bc85f8b91d263f5bf4c5bbd261bd252c46a0 | ||
| Title: | Client side verification of SSL server certificates should use system wide default CAs | ||
| Status: | Fixed | Type: | Feature_Request |
| Severity: | Minor | Priority: | |
| Subsystem: | Resolution: | Fixed | |
| Last Modified: | 2010-10-06 12:15:50 | ||
| Version Found In: | fb5f0c2580 | ||
| Description & Comments: | |||
|
Most installations of OpenSSL come with a system wide directory of default certificate authorities and most applications using OpenSSL make use of this certificate store during server certificate verification, which is handy because a system administrator only has to manage one central store of acceptable certificate authorities.
Fossil presently doesn't use the system wide CA certificate store, but I think it should :-) The necessary change is only one line of code:
Index: src/http_ssl.c
===================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -90,10 +90,11 @@
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
sslCtx = SSL_CTX_new(SSLv23_client_method());
+ X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx));
sslIsInit = 1;
}
}
/*
| |||
View Ticket