Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Changes In Branch ssl_platform_fixes Excluding Merge-Ins
This is equivalent to a diff from ae000c23fa to 6b8b6d2e23
|
2010-10-22
| ||
| 01:06 | Merge in some ui enhancements from the ssl_platform_fixes branch. Leaf check-in: 3c19422b6e user: bcsmith tags: ui-improvements | |
|
2010-10-03
| ||
| 20:00 | Dramatic performance improvement for "fossil deconstruct" and "fossil reconstruct" on large repositories. Add progress information for "fossil reconstruct". Possibly related to ticket [2a1e8e3c4b0b39e08fdde0]. Fix for ticket [76d3ecfdab577bdf843]. check-in: 5f0201030c user: drh tags: trunk | |
| 19:24 | More descriptive SSL error messages. Closed-Leaf check-in: 6b8b6d2e23 user: bcsmith tags: ssl_platform_fixes | |
| 19:01 | For "fossil rebuild" increment the progress counter after each artifact is processed, rather than waiting for its delta children to be processed, in order to give a more uniform progress indication. Possibly related to ticket [2a1e8e3c4b0b39e08fdde]. check-in: ae000c23fa user: drh tags: trunk | |
|
2010-10-02
| ||
| 12:51 | show new allowed tags(checkin [172dccb66f]) in wiki help page check-in: c492eab395 user: wolfgang tags: trunk | |
Changes to src/http_ssl.c.
126 126 ** g.urlPort TCP/IP port to use. Ex: 80 127 127 ** 128 128 ** Return the number of errors. 129 129 */ 130 130 int ssl_open(void){ 131 131 X509 *cert; 132 132 int hasSavedCertificate = 0; 133 -char *connStr ; 133 + char *connStr; 134 + int vresult = 0; 134 135 ssl_global_init(); 135 136 136 137 /* Get certificate for current server from global config and 137 138 * (if we have it in config) add it to certificate store. 138 139 */ 139 140 cert = ssl_get_certificate(); 140 141 if ( cert!=NULL ){ ................................................................................ 174 175 175 176 if ( cert==NULL ){ 176 177 ssl_set_errmsg("No SSL certificate was presented by the peer"); 177 178 ssl_close(); 178 179 return 1; 179 180 } 180 181 181 - if( SSL_get_verify_result(ssl) != X509_V_OK ){ 182 + if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){ 182 183 char *desc, *prompt; 183 184 char *warning = ""; 185 + char *ssl_verify_error = ""; 184 186 Blob ans; 185 187 BIO *mem; 186 188 187 189 mem = BIO_new(BIO_s_mem()); 188 190 X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); 189 191 BIO_puts(mem, "\n\nIssued By:\n\n"); 190 192 X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE); ................................................................................ 191 193 BIO_write(mem, "", 1); // null-terminate mem buffer 192 194 BIO_get_mem_data(mem, &desc); 193 195 194 196 if( hasSavedCertificate ){ 195 197 warning = "WARNING: Certificate doesn't match the " 196 198 "saved certificate for this host!"; 197 199 } 198 - prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n" 199 - "Accept certificate [a=always/y/N]? ", desc, warning); 200 + switch(vresult) { 201 + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 202 + ssl_verify_error = "SSL: unable to get issuer certificate."; 203 + break; 204 + 205 + case X509_V_ERR_UNABLE_TO_GET_CRL: 206 + ssl_verify_error = "SSL: unable to get certificate CRL."; 207 + break; 208 + 209 + case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 210 + ssl_verify_error = "SSL: unable to decrypt certificate’s signature."; 211 + break; 212 + 213 + case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 214 + ssl_verify_error = "SSL: unable to decrypt CRL’s signature."; 215 + break; 216 + 217 + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 218 + ssl_verify_error = "SSL: unable to decode issuer public key."; 219 + break; 220 + 221 + case X509_V_ERR_CERT_SIGNATURE_FAILURE: 222 + ssl_verify_error = "SSL: certificate signature failure."; 223 + break; 224 + 225 + case X509_V_ERR_CRL_SIGNATURE_FAILURE: 226 + ssl_verify_error = "SSL: CRL signature failure."; 227 + break; 228 + 229 + case X509_V_ERR_CERT_NOT_YET_VALID: 230 + ssl_verify_error = "SSL: certificate is not yet valid."; 231 + break; 232 + 233 + case X509_V_ERR_CERT_HAS_EXPIRED: 234 + ssl_verify_error = "SSL: certificate has expired."; 235 + break; 236 + 237 + case X509_V_ERR_CRL_NOT_YET_VALID: 238 + ssl_verify_error = "SSL: CRL is not yet valid."; 239 + break; 240 + 241 + case X509_V_ERR_CRL_HAS_EXPIRED: 242 + ssl_verify_error = "SSL: CRL has expired."; 243 + break; 244 + 245 + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 246 + ssl_verify_error = "SSL: format error in certificate’s notBefore field."; 247 + break; 248 + 249 + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 250 + ssl_verify_error = "SSL: format error in certificate’s notAfter field."; 251 + break; 252 + 253 + case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 254 + ssl_verify_error = "SSL: format error in CRL’s lastUpdate field."; 255 + break; 256 + 257 + case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 258 + ssl_verify_error = "SSL: format error in CRL’s nextUpdate field."; 259 + break; 260 + 261 + case X509_V_ERR_OUT_OF_MEM: 262 + ssl_verify_error = "SSL: out of memory."; 263 + break; 264 + 265 + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 266 + ssl_verify_error = "SSL: self signed certificate."; 267 + break; 268 + 269 + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 270 + ssl_verify_error = "SSL: self signed certificate in certificate chain."; 271 + break; 272 + 273 + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 274 + ssl_verify_error = "SSL: unable to get local issuer certificate."; 275 + break; 276 + 277 + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 278 + ssl_verify_error = "SSL: unable to verify the first certificate."; 279 + break; 280 + 281 + case X509_V_ERR_CERT_CHAIN_TOO_LONG: 282 + ssl_verify_error = "SSL: certificate chain too long."; 283 + break; 284 + 285 + case X509_V_ERR_CERT_REVOKED: 286 + ssl_verify_error = "SSL: certificate revoked."; 287 + break; 288 + 289 + case X509_V_ERR_INVALID_CA: 290 + ssl_verify_error = "SSL: invalid CA certificate."; 291 + break; 292 + 293 + case X509_V_ERR_PATH_LENGTH_EXCEEDED: 294 + ssl_verify_error = "SSL: path length constraint exceeded."; 295 + break; 296 + 297 + case X509_V_ERR_INVALID_PURPOSE: 298 + ssl_verify_error = "SSL: unsupported certificate purpose."; 299 + break; 300 + 301 + case X509_V_ERR_CERT_UNTRUSTED: 302 + ssl_verify_error = "SSL: certificate not trusted."; 303 + break; 304 + 305 + case X509_V_ERR_CERT_REJECTED: 306 + ssl_verify_error = "SSL: certificate rejected."; 307 + break; 308 + 309 + case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: 310 + ssl_verify_error = "SSL: subject issuer mismatch."; 311 + break; 312 + 313 + case X509_V_ERR_AKID_SKID_MISMATCH: 314 + ssl_verify_error = "SSL: authority and subject key identifier mismatch."; 315 + break; 316 + 317 + case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: 318 + ssl_verify_error = "SSL: authority and issuer serial number mismatch."; 319 + break; 320 + 321 + case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: 322 + ssl_verify_error = "SSL: key usage does not include certificate signing."; 323 + break; 324 + default: 325 + ssl_verify_error = "SSL: Unknown error."; 326 + }; 327 + prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n" 328 + "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult); 200 329 BIO_free(mem); 201 330 202 331 prompt_user(prompt, &ans); 203 332 free(prompt); 204 333 if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { 205 334 X509_free(cert); 206 335 ssl_set_errmsg("SSL certificate declined");