Largely rewrote www/ssl.wiki, it being 7 years since the last update,
during which time much has changed in TLS land. Added the initial
version of www/tls-nginx.md as a companion article to it, since the
topic is too deep to get into within ssl.wiki. Finally, added a new
script, tools/fslsrv, referred to by tls-nginx.md, since it's too big to
put inline within the article.
-If you are storing sensitive information in your repository, you should use SSL to encrypt all communications. This will protect the credentials used to access the server, as well preventing eavesdropping of the contents of your repository.
6
-
7
-To host a repository with SSL, you need to use an web server which supports SSL in front of the Fossil server. You can host it using the CGI option or by proxying Fossil's built in HTTP server.
8
-
9
-Your fossil client must be built with SSL support. The <tt>configure</tt> script will attempt to find OpenSSL on your system, but if necessary, you can specify the location with the <tt>--with-openssl</tt> option. Type <tt>./configure --help</tt> for details.
10
-
11
-Make sure the URL you clone from uses the <tt>https:</tt> scheme to ensure you're using SSL. If your server is configured to serve the repository from http as well as https, it's easy to accidentally use unencrypted HTTP if you forget the all important 's'.
12
-
13
-
14
-<h2>Certificates</h2>
15
-
16
-To verify the identify of a server, SSL uses certificates. Fossil needs to know which certificates you trust.
17
-
18
-If you are using a self-signed certificate, you'll be asked if you want to accept the certificate the first time you communicate with the server. Verify the certificate fingerprint is correct, then answer "always" to remember your decision.
19
-
20
-If you are using a certificate signed by a certificate authority, you need to specify the certificates you trust with the <tt>ssl-ca-location</tt> setting. Set this globally with the <tt>-global</tt> option for convenience.
21
-
22
-This should be set to the location of a file containing all the PEM encoded certificates you trust. You can obtain a certificate using a web browser, for example, Firefox, or just refer to your system's trusted CA roots which are usually stored somewhere in <tt>/etc</tt>.
23
-
24
-
25
-<h2>Client side certificates</h2>
26
-
27
-You can also use client side certificates to add an extra layer of authentication, over and above Fossil's built in user management. If you are particularly paranoid, you'll want to use this to remove the ability of anyone on the internet from making any request to Fossil. Without presenting a valid client side certificate, the web server won't invoke the fossil CGI handler.
28
-
29
-Configure your server to request a client side certificate, and set up a certificate authority to sign your client certificates. For each person who needs to access the repository, create a private key and certificate signed with that CA.
30
-
31
-The PEM encoded private key and certificate should be stored in a single file, simply by concatenating the key and certificate files. Specify the location of this file with the <tt>ssl-identity</tt> setting, or the <tt>--ssl-identity</tt> option to the <tt>clone</tt> command.
32
-
33
-If you've password protected the private key, the password will be requested every time you connect to the server. This password is not stored by fossil, as doing so would defeat the purpose of having a password.
34
-
35
-If you attempt to connect to a server which requests a client certificate, but don't provide one, fossil will show an error message which explains what to do to authenticate with the server.
36
-
1
+<title>TLS and Fossil</title>
2
+
3
+<h2>Using TLS-Encrypted Communications with Fossil</h2>
4
+
5
+If you are storing sensitive information in a repository accessible over
6
+a network whose integrity you do not fully trust, you should use TLS to
7
+encrypt all communications with it. This is most true for repositories
8
+accessed over the Internet, especially if they will be accessed from
9
+edge networks you do not control, since that admits of various forms of
10
+[https://en.wikipedia.org/wiki/Man-in-the-middle_attack|man in the
11
+middle attack].
12
+
13
+TLS protects the credentials used to access the server, prevents
14
+eavesdropping, prevents in-flight data modification, prevents server
15
+identify spoofing, and more.
16
+
17
+There are two major aspects to this, both of which have to be addressed
18
+in different ways. Those are the subjects of the next two major
+Fossil's built-in HTTP server feature does not currently have a built-in
158
+way to serve via HTTP over TLS, a.k.a. HTTPS, even when you've linked
159
+Fossil to OpenSSL. To serve a Fossil repository via HTTPS, you must put
160
+it behind some kind of HTTPS proxy.
161
+
162
+
163
+<h3 id="stunnel">stunnel Alone</h3>
164
+
165
+Conceptually, the simplest option is to [https://www.stunnel.org/|set up
166
+stunnel]. A typical configuration is to run Fossil as an HTTP server
167
+bound to localhost only, then export access to it via HTTPS with stunnel
168
+encrypting access to Fossil instance hiding behind it.
169
+
170
+The difficulty comes in configuring it, which really wants a guide that
171
+no one has written for us yet. Until that appears, you'll have to read
172
+the stunnel documentation and that of your TLS certificate provider to
173
+work out how to set this up.
174
+
175
+
176
+<h3 id="althttpd">stunnel + althttpd</h3>
177
+
178
+The public SQLite and Fossil web sites can't just use stunnel + Fossil
179
+because parts of the web site are static, served by
180
+[https://www.sqlite.org/docsrc/file/misc/althttpd.c|a separate web
181
+server called <tt>althttpd</tt>], written by the primary author of both
182
+SQLite and Fossil. It is a lightweight HTTP-only web server. It handles
183
+the static HTTP hits on <tt>sqlite.org</tt> and <tt>fossil-scm.org</tt>,
184
+delegating HTTPS and dynamic Fossil content hits to stunnel and Fossil.
185
+
186
+The only documentation for althttpd currently is in its header comment.
187
+As is typical for drh software, althttpd is a single-file C program, so
188
+that at worst, you just have to read its code to understand it.
189
+
190
+
191
+<h3 id="nginx">nginx</h3>
192
+
193
+If your needs are more complex than althttpd can handle or you'd prefer
194
+to use only software available in your server operating system's package
195
+repository, we recommend that you step up to [http://nginx.org/|nginx].
196
+Setting this up is complex enough that we cover it [./tls-nginx.md|in a
197
+separate document].
198
+
199
+
200
+<h2 id="enforcing">Enforcing TLS Access</h2>
201
+
202
+To use TLS encryption in cloning and syncing to a remote Fossil
203
+repository, be sure to use the <tt>https:</tt> URI scheme in
204
+<tt>clone</tt> and <tt>sync</tt> commands. If your server is configured
205
+to serve the repository via both HTTP and HTTPS, it's easy to
206
+accidentally use unencrypted HTTP if you forget the all-important 's'.
207
+
208
+There is a setting in the Fossil UI under Admin → Access called
209
+"Redirect to HTTPS on the Login page." This setting is not enabled by
210
+default. This setting does not automatically upgrade clones and syncs
211
+done via the <tt>http</tt> URI scheme. It only affects web UI access to
212
+the Fossil repository.
213
+
214
+<b id="rloop">WARNING:</b> Never enable this setting when running Fossil
215
+behind an HTTPS proxy with Fossil running underneath it via HTTP or
216
+SCGI. This will cause an infinite redirect loop any time someone tries
217
+to log into the web UI. Fossil sees that it's being accessed via HTTP,
218
+so it redirects the browser to an HTTPS equivalent URL, which causes the
219
+client to hit the HTTPS front end proxy up again for access, which
220
+causes Fossil to see that it's being accessed via HTTP, so it redirects
221
+the client to...'round and 'round it goes until the web browser detects
222
+it's in a redirect loop and gives up.
223
+
224
+If you wish to enforce TLS-only access to a Fossil web server, it is
225
+best done at the HTTPS front-end proxy layer, not by use of Fossil-level
226
+settings like this one. The [./tls-nginx.md|nginx TLS proxy guide]
227
+shows one way to achieve this, for example.
228
+
229
+
230
+<h2>Terminology Note</h2>
231
+
232
+This document is called <tt>ssl.wiki</tt> for historical reasons. The
233
+TLS protocol was originally called SSL, and it went through several
234
+revisions before being replaced by TLS. Years before this writing, SSL
235
+finally became entirely obsolete due to weaknesses in the protocol fixed
236
+in the later TLS series of protocols.
237
+
238
+Some people still use the term "SSL" when they actually mean "TLS," but
239
+in the Fossil project, we always use "TLS" except when we must preserve
240
+some sort of historical compatibility, as with this document's name in
241
+order to avoid broken external URLs. The Fossil TLS-related settings
242
+also often use "`ssl`" in their names, for the same reason.
243
+
244
+This series of protocols is also called "HTTPS" after the URI scheme
245
+used to specify "HTTP over TLS."
37
246
38
247
ADDED www/tls-nginx.md
--- www/ssl.wiki
+++ www/ssl.wiki
@@ -1,36 +1,245 @@
1
<title>SSL and Fossil</title>
2
3
<h2>Using SSL with Fossil</h2>
4
5
If you are storing sensitive information in your repository, you should use SSL to encrypt all communications. This will protect the credentials used to access the server, as well preventing eavesdropping of the contents of your repository.
6
7
To host a repository with SSL, you need to use an web server which supports SSL in front of the Fossil server. You can host it using the CGI option or by proxying Fossil's built in HTTP server.
8
9
Your fossil client must be built with SSL support. The <tt>configure</tt> script will attempt to find OpenSSL on your system, but if necessary, you can specify the location with the <tt>--with-openssl</tt> option. Type <tt>./configure --help</tt> for details.
10
11
Make sure the URL you clone from uses the <tt>https:</tt> scheme to ensure you're using SSL. If your server is configured to serve the repository from http as well as https, it's easy to accidentally use unencrypted HTTP if you forget the all important 's'.
12
13
14
<h2>Certificates</h2>
15
16
To verify the identify of a server, SSL uses certificates. Fossil needs to know which certificates you trust.
17
18
If you are using a self-signed certificate, you'll be asked if you want to accept the certificate the first time you communicate with the server. Verify the certificate fingerprint is correct, then answer "always" to remember your decision.
19
20
If you are using a certificate signed by a certificate authority, you need to specify the certificates you trust with the <tt>ssl-ca-location</tt> setting. Set this globally with the <tt>-global</tt> option for convenience.
21
22
This should be set to the location of a file containing all the PEM encoded certificates you trust. You can obtain a certificate using a web browser, for example, Firefox, or just refer to your system's trusted CA roots which are usually stored somewhere in <tt>/etc</tt>.
23
24
25
<h2>Client side certificates</h2>
26
27
You can also use client side certificates to add an extra layer of authentication, over and above Fossil's built in user management. If you are particularly paranoid, you'll want to use this to remove the ability of anyone on the internet from making any request to Fossil. Without presenting a valid client side certificate, the web server won't invoke the fossil CGI handler.
28
29
Configure your server to request a client side certificate, and set up a certificate authority to sign your client certificates. For each person who needs to access the repository, create a private key and certificate signed with that CA.
30
31
The PEM encoded private key and certificate should be stored in a single file, simply by concatenating the key and certificate files. Specify the location of this file with the <tt>ssl-identity</tt> setting, or the <tt>--ssl-identity</tt> option to the <tt>clone</tt> command.
32
33
If you've password protected the private key, the password will be requested every time you connect to the server. This password is not stored by fossil, as doing so would defeat the purpose of having a password.
34
35
If you attempt to connect to a server which requests a client certificate, but don't provide one, fossil will show an error message which explains what to do to authenticate with the server.
36
37
38
DDED www/tls-nginx.md
--- www/ssl.wiki
+++ www/ssl.wiki
@@ -1,36 +1,245 @@
1
<title>TLS and Fossil</title>
2
3
<h2>Using TLS-Encrypted Communications with Fossil</h2>
4
5
If you are storing sensitive information in a repository accessible over
6
a network whose integrity you do not fully trust, you should use TLS to
7
encrypt all communications with it. This is most true for repositories
8
accessed over the Internet, especially if they will be accessed from
9
edge networks you do not control, since that admits of various forms of
10
[https://en.wikipedia.org/wiki/Man-in-the-middle_attack|man in the
11
middle attack].
12
13
TLS protects the credentials used to access the server, prevents
14
eavesdropping, prevents in-flight data modification, prevents server
15
identify spoofing, and more.
16
17
There are two major aspects to this, both of which have to be addressed
18
in different ways. Those are the subjects of the next two major