|
2010-10-06
| ||
| 12:15 | • Fixed ticket [f696bc85f8]: Client side verification of SSL server certificates should use system wide default CAs plus 1 other change ... (artifact: 621cd86f7b user: drh) | |
| 12:15 | SLL uses system-wide default CAs. Ticket [f696bc85f8b91d263f5bf4c5bbd2]. ... (check-in: 8995df3aee user: drh tags: trunk) | |
|
2010-07-14
| ||
| 14:50 | • New ticket [f696bc85f8] Client side verification of SSL server certificates should use system wide default CAs. ... (artifact: be789d5307 user: anonymous) | |
| Ticket Hash: | f696bc85f8b91d263f5bf4c5bbd261bd252c46a0 | |||
| Title: | Client side verification of SSL server certificates should use system wide default CAs | |||
| Status: | Fixed | Type: | Feature_Request | |
| Severity: | Minor | Priority: | ||
| Subsystem: | Resolution: | Fixed | ||
| Last Modified: | 2010-10-06 12:15:50 | |||
| Version Found In: | fb5f0c2580 | |||
| Description: | ||||
|
Most installations of OpenSSL come with a system wide directory of default certificate authorities and most applications using OpenSSL make use of this certificate store during server certificate verification, which is handy because a system administrator only has to manage one central store of acceptable certificate authorities.
Fossil presently doesn't use the system wide CA certificate store, but I think it should :-) The necessary change is only one line of code:
Index: src/http_ssl.c
===================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -90,10 +90,11 @@
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
sslCtx = SSL_CTX_new(SSLv23_client_method());
+ X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx));
sslIsInit = 1;
}
}
/*
| ||||