View Ticket
Not logged in
Ticket UUID: 45f89e504b49833746286e9c2674b838250e3776
Title: Syncing a "bare" repository over SSL fails to store certificate
Status: Fixed Type: Code_Defect
Severity: Important Priority:
Subsystem: Resolution: Fixed
Last Modified: 2010-03-21 17:03:34
Version Found In: 73c24ae363
Description & Comments:
I have several repositories setup on a server at home which I want to sync periodically to an external server Like this one

To reproduce (seen on OS X and Linux (Centos 5.3)):

fossil clone https://code.linuxfood.net/pub/repo/git-import gi.fsl # (or probably any other ssl repo. See below).
fossil sync -R gi.fsl

Output:
...
Send:            1091         21          0          0

Unknown SSL certificate:

  countryName               = --
  stateOrProvinceName       = SomeState
  localityName              = SomeCity
  organizationName          = SomeOrganization
  organizationalUnitName    = SomeOrganizationalUnit
  commonName                = nudibranch.linuxfood.net
  emailAddress              = root@nudibranch.linuxfood.net

Issued By:

  countryName               = --
  stateOrProvinceName       = SomeState
  localityName              = SomeCity
  organizationName          = SomeOrganization
  organizationalUnitName    = SomeOrganizationalUnit
  commonName                = nudibranch.linuxfood.net
  emailAddress              = root@nudibranch.linuxfood.net


Accept certificate [a=always/y/N]? a

REPLACE INTO global_config(name,value) VALUES('cert:code.linuxfood.net','-----BEGIN CERTIFICATE-----
MIIEIDCCA4mgAwIBAgICX/IwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
[snip for brevity]
XQ6rdn5/eMocYvA0BOXd0pD5HWKX6WfX+kvqdo4P6l/2tBWCLXBlBuaLUfwZtm1S
XBbhCw==
-----END CERTIFICATE-----
')

This behavior only occurs when you press 'a' for always. It appears to be a result of the fact that sync didn't used to need to write to the config database until SSL support was introduced. Accepting the cert temporarily causes it to not write it to the config.

Opening ~/.fossil in process_sync_args() appears to fix the problem. Patch:

Index: src/sync.c
===================================================================
--- src/sync.c
+++ src/sync.c
@@ -84,10 +84,11 @@
   const char *zPw = 0;
   int urlOptional = find_option("autourl",0,0)!=0;
   g.dontKeepUrl = find_option("once",0,0)!=0;
   url_proxy_options();
   db_find_and_open_repository(1);
+  db_open_config(0);
   if( g.argc==2 ){
     zUrl = db_get("last-sync-url", 0);
     zPw = db_get("last-sync-pw", 0);
   }else if( g.argc==3 ){
     zUrl = g.argv[2];

Additionally, I added an assert to be a little more violent about this kind of bug. This one is less necessary, but was useful in verifying the bug and might catch other instances as well. Patch:

Index: src/db.c
===================================================================
--- src/db.c
+++ src/db.c
@@ -1194,10 +1194,11 @@
 ** so this routine is a no-op.
 */
 void db_swap_connections(void){
   if( !g.useAttach ){
     sqlite3 *dbTemp = g.db;
+    assert(g.dbConfig);
     g.db = g.dbConfig;
     g.dbConfig = dbTemp;
   }
 }
 

Thanks,

-B