Overview
| Artifact ID: | be789d5307e4edc10219a8e10ea5fd8521c8a210 |
|---|---|
| Ticket: | f696bc85f8b91d263f5bf4c5bbd261bd252c46a0
Client side verification of SSL server certificates should use system wide default CAs |
| User & Date: | anonymous 2010-07-14 14:50:53 |
Changes
- comment changed to:
Most installations of OpenSSL come with a system wide directory of default certificate authorities and most applications using OpenSSL make use of this certificate store during server certificate verification, which is handy because a system administrator only has to manage one central store of acceptable certificate authorities. Fossil presently doesn't use the system wide CA certificate store, but I think it should :-) The necessary change is only one line of code: <verbatim> Index: src/http_ssl.c =================================================================== --- src/http_ssl.c +++ src/http_ssl.c @@ -90,10 +90,11 @@ SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); sslCtx = SSL_CTX_new(SSLv23_client_method()); + X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); sslIsInit = 1; } } /* </verbatim> - foundin changed to: "fb5f0c2580"
- private_contact changed to: "911ecc80502632daad095cf04dac560d4ed25ad4"
- severity changed to: "Minor"
- status changed to: "Open"
- title changed to:
Client side verification of SSL server certificates should use system wide default CAs
- type changed to: "Feature_Request"