Fossil SCM
For the "fossil ssl-config" command, show the five possible locations of the trust store in priority order, and show the one that is actually used at the end. In -v mode, show the hash for each exception.
Commit
0abeed1118d726c3d167ab61bdb532c500d4c76576dc651082aa12b823758e6e
Parent
cdcffc413d7c5ee…
1 file changed
+85
-38
+85
-38
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -248,11 +248,11 @@ | ||
| 248 | 248 | /* |
| 249 | 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | 250 | ** This routine does initial configuration of the SSL module. |
| 251 | 251 | */ |
| 252 | 252 | static void ssl_global_init_client(void){ |
| 253 | - const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0; | |
| 253 | + const char *zCaSetting = 0; | |
| 254 | 254 | const char *identityFile; |
| 255 | 255 | |
| 256 | 256 | if( sslIsInit==0 ){ |
| 257 | 257 | SSL_library_init(); |
| 258 | 258 | SSL_load_error_strings(); |
| @@ -266,10 +266,12 @@ | ||
| 266 | 266 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 267 | 267 | /* CA location not specified, use platform's default certificate store */ |
| 268 | 268 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 269 | 269 | }else{ |
| 270 | 270 | /* User has specified a CA location, make sure it exists and use it */ |
| 271 | + const char *zCaFile = 0; | |
| 272 | + const char *zCaDirectory = 0; | |
| 271 | 273 | switch( file_isdir(zCaSetting, ExtFILE) ){ |
| 272 | 274 | case 0: { /* doesn't exist */ |
| 273 | 275 | fossil_fatal("ssl-ca-location is set to '%s', " |
| 274 | 276 | "but is not a file or directory", zCaSetting); |
| 275 | 277 | break; |
| @@ -854,10 +856,22 @@ | ||
| 854 | 856 | return n; |
| 855 | 857 | } |
| 856 | 858 | } |
| 857 | 859 | |
| 858 | 860 | #endif /* FOSSIL_ENABLE_SSL */ |
| 861 | + | |
| 862 | +/* | |
| 863 | +** zPath is a name that might be a file or directory containing a trust | |
| 864 | +** store. *pzStore is the name of the trust store to actually use. | |
| 865 | +** | |
| 866 | +** If *pzStore is not NULL (meaning no trust store has been found yet) | |
| 867 | +** and if zPath exists, then set *pzStore to point to zPath. | |
| 868 | +*/ | |
| 869 | +static void trust_location_usable(const char *zPath, const char **pzStore){ | |
| 870 | + if( *pzStore!=0 ) return; | |
| 871 | + if( file_isdir(zPath, ExtFILE)>0 ) *pzStore = zPath; | |
| 872 | +} | |
| 859 | 873 | |
| 860 | 874 | /* |
| 861 | 875 | ** COMMAND: tls-config* |
| 862 | 876 | ** COMMAND: ssl-config |
| 863 | 877 | ** |
| @@ -882,10 +896,11 @@ | ||
| 882 | 896 | */ |
| 883 | 897 | void test_tlsconfig_info(void){ |
| 884 | 898 | const char *zCmd; |
| 885 | 899 | size_t nCmd; |
| 886 | 900 | int nHit = 0; |
| 901 | + | |
| 887 | 902 | db_find_and_open_repository(OPEN_OK_NOT_FOUND|OPEN_SUBSTITUTE,0); |
| 888 | 903 | db_open_config(1,0); |
| 889 | 904 | if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){ |
| 890 | 905 | zCmd = "show"; |
| 891 | 906 | nCmd = 4; |
| @@ -914,76 +929,100 @@ | ||
| 914 | 929 | ); |
| 915 | 930 | db_protect_pop(); |
| 916 | 931 | }else |
| 917 | 932 | if( strncmp("show",zCmd,nCmd)==0 ){ |
| 918 | 933 | const char *zName, *zValue; |
| 934 | + const char *zUsed = 0; /* Trust store location actually used */ | |
| 919 | 935 | size_t nName; |
| 920 | 936 | Stmt q; |
| 921 | 937 | int verbose = find_option("verbose","v",0)!=0; |
| 922 | 938 | verify_all_options(); |
| 923 | 939 | |
| 924 | 940 | #if !defined(FOSSIL_ENABLE_SSL) |
| 925 | - fossil_print("OpenSSL-version: (none)\n"); | |
| 941 | + fossil_print("OpenSSL-version: (none)\n"); | |
| 926 | 942 | if( verbose ){ |
| 927 | 943 | fossil_print("\n" |
| 928 | 944 | " The OpenSSL library is not used by this build of Fossil\n\n" |
| 929 | 945 | ); |
| 930 | 946 | } |
| 931 | 947 | #else |
| 932 | - fossil_print("OpenSSL-version: %s (0x%09x)\n", | |
| 948 | + fossil_print("OpenSSL-version: %s (0x%09x)\n", | |
| 933 | 949 | SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); |
| 934 | 950 | if( verbose ){ |
| 935 | 951 | fossil_print("\n" |
| 936 | 952 | " The version of the OpenSSL library being used\n" |
| 937 | 953 | " by this instance of Fossil. Version 3.0.0 or\n" |
| 938 | 954 | " later is recommended.\n\n" |
| 939 | 955 | ); |
| 940 | 956 | } |
| 941 | 957 | |
| 942 | - fossil_print("OpenSSL-cert-file: %s\n", X509_get_default_cert_file()); | |
| 943 | - fossil_print("OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); | |
| 958 | + fossil_print("Trust store location\n"); | |
| 959 | + zValue = db_get("ssl-ca-location",""); | |
| 960 | + trust_location_usable(zValue, &zUsed); | |
| 961 | + fossil_print(" ssl-ca-location: %s\n", zValue); | |
| 944 | 962 | if( verbose ){ |
| 945 | 963 | fossil_print("\n" |
| 946 | - " The default locations for the set of root certificates\n" | |
| 947 | - " used by the \"fossil sync\" and similar commands to verify\n" | |
| 948 | - " the identity of servers for \"https:\" URLs. These values\n" | |
| 949 | - " come into play when Fossil is used as a TLS client. These\n" | |
| 950 | - " values are built into your OpenSSL library.\n\n" | |
| 964 | + " This setting is the name of a file or directory that contains\n" | |
| 965 | + " the complete set of root certificates used by Fossil when it\n" | |
| 966 | + " is acting as a SSL client. If defined, this setting takes\n" | |
| 967 | + " priority over built-in paths and environment variables\n\n" | |
| 951 | 968 | ); |
| 952 | 969 | } |
| 953 | 970 | |
| 954 | 971 | zName = X509_get_default_cert_file_env(); |
| 955 | 972 | zValue = fossil_getenv(zName); |
| 956 | 973 | if( zValue==0 ) zValue = ""; |
| 974 | + trust_location_usable(zValue, &zUsed); | |
| 957 | 975 | nName = strlen(zName); |
| 958 | - fossil_print("%s:%*s%s\n", zName, 18-nName, "", zValue); | |
| 976 | + fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); | |
| 959 | 977 | zName = X509_get_default_cert_dir_env(); |
| 960 | 978 | zValue = fossil_getenv(zName); |
| 961 | 979 | if( zValue==0 ) zValue = ""; |
| 962 | - nName = strlen(zName); | |
| 963 | - fossil_print("%s:%*s%s\n", zName, 18-nName, "", zValue); | |
| 964 | - if( verbose ){ | |
| 965 | - fossil_print("\n" | |
| 966 | - " Alternative locations for the root certificates used by Fossil\n" | |
| 967 | - " when it is acting as a SSL client in order to verify the identity\n" | |
| 968 | - " of servers. If specified, these alternative locations override\n" | |
| 969 | - " the built-in locations.\n\n" | |
| 970 | - ); | |
| 971 | - } | |
| 972 | -#endif /* FOSSIL_ENABLE_SSL */ | |
| 973 | - | |
| 974 | - fossil_print("ssl-ca-location: %s\n", db_get("ssl-ca-location","")); | |
| 975 | - if( verbose ){ | |
| 976 | - fossil_print("\n" | |
| 977 | - " This setting is the name of a file or directory that contains\n" | |
| 978 | - " the complete set of root certificates used by Fossil when it\n" | |
| 979 | - " is acting as a SSL client. If defined, this setting takes\n" | |
| 980 | - " priority over built-in paths and environment variables\n\n" | |
| 981 | - ); | |
| 982 | - } | |
| 983 | - | |
| 984 | - fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); | |
| 980 | + trust_location_usable(zValue, &zUsed); | |
| 981 | + nName = strlen(zName); | |
| 982 | + fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); | |
| 983 | + if( verbose ){ | |
| 984 | + fossil_print("\n" | |
| 985 | + " Environment variables that determine alternative locations for\n" | |
| 986 | + " the root certificates used by Fossil when it is acting as a SSL\n" | |
| 987 | + " client. If specified, these alternative locations override\n" | |
| 988 | + " the built-in locations.\n\n" | |
| 989 | + ); | |
| 990 | + } | |
| 991 | + | |
| 992 | + zValue = X509_get_default_cert_file(); | |
| 993 | + trust_location_usable(zValue, &zUsed); | |
| 994 | + fossil_print(" OpenSSL-cert-file: %s\n", zValue); | |
| 995 | + zValue = X509_get_default_cert_dir(); | |
| 996 | + trust_location_usable(zValue, &zUsed); | |
| 997 | + fossil_print(" OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); | |
| 998 | + if( verbose ){ | |
| 999 | + fossil_print("\n" | |
| 1000 | + " The default locations for the set of root certificates\n" | |
| 1001 | + " used by the \"fossil sync\" and similar commands to verify\n" | |
| 1002 | + " the identity of servers for \"https:\" URLs. These values\n" | |
| 1003 | + " come into play when Fossil is used as a TLS client. These\n" | |
| 1004 | + " values are built into your OpenSSL library.\n\n" | |
| 1005 | + ); | |
| 1006 | + } | |
| 1007 | + | |
| 1008 | + if( zUsed==0 ) zUsed = ""; | |
| 1009 | + fossil_print(" Trust store used: %s\n", zUsed); | |
| 1010 | + if( verbose ){ | |
| 1011 | + fossil_print("\n" | |
| 1012 | + " The location that is actually used for the root certificates\n" | |
| 1013 | + " used to verify the identity of servers for \"https:\" URLs.\n" | |
| 1014 | + " This will be one of the first of the five locations listed\n" | |
| 1015 | + " above that actually exists.\n\n" | |
| 1016 | + ); | |
| 1017 | + } | |
| 1018 | + | |
| 1019 | + | |
| 1020 | +#endif /* FOSSIL_ENABLE_SSL */ | |
| 1021 | + | |
| 1022 | + | |
| 1023 | + fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); | |
| 985 | 1024 | if( verbose ){ |
| 986 | 1025 | fossil_print("\n" |
| 987 | 1026 | " This setting is the name of a file that contains the PEM-format\n" |
| 988 | 1027 | " certificate and private-key used by Fossil clients to authenticate\n" |
| 989 | 1028 | " with servers. Few servers actually require this, so this setting\n" |
| @@ -990,21 +1029,29 @@ | ||
| 990 | 1029 | " is usually blank.\n\n" |
| 991 | 1030 | ); |
| 992 | 1031 | } |
| 993 | 1032 | |
| 994 | 1033 | db_prepare(&q, |
| 995 | - "SELECT name, '' FROM global_config" | |
| 1034 | + "SELECT name, '', value FROM global_config" | |
| 996 | 1035 | " WHERE name GLOB 'cert:*'" |
| 997 | 1036 | "UNION ALL " |
| 998 | - "SELECT name, date(mtime,'unixepoch') FROM config" | |
| 1037 | + "SELECT name, date(mtime,'unixepoch'), value FROM config" | |
| 999 | 1038 | " WHERE name GLOB 'cert:*'" |
| 1000 | 1039 | " ORDER BY name" |
| 1001 | 1040 | ); |
| 1002 | 1041 | nHit = 0; |
| 1003 | 1042 | while( db_step(&q)==SQLITE_ROW ){ |
| 1004 | - fossil_print("exception: %-40s %s\n", | |
| 1005 | - db_column_text(&q,0)+5, db_column_text(&q,1)); | |
| 1043 | + /* 123456789 123456789 123456789 */ | |
| 1044 | + if( verbose ){ | |
| 1045 | + fossil_print("exception: %-40s %s\n" | |
| 1046 | + " hash: %.57s\n", | |
| 1047 | + db_column_text(&q,0)+5, db_column_text(&q,1), | |
| 1048 | + db_column_text(&q,2)); | |
| 1049 | + }else{ | |
| 1050 | + fossil_print("exception: %-40s %s\n", | |
| 1051 | + db_column_text(&q,0)+5, db_column_text(&q,1)); | |
| 1052 | + } | |
| 1006 | 1053 | nHit++; |
| 1007 | 1054 | } |
| 1008 | 1055 | db_finalize(&q); |
| 1009 | 1056 | if( nHit && verbose ){ |
| 1010 | 1057 | fossil_print("\n" |
| 1011 | 1058 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -248,11 +248,11 @@ | |
| 248 | /* |
| 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | ** This routine does initial configuration of the SSL module. |
| 251 | */ |
| 252 | static void ssl_global_init_client(void){ |
| 253 | const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0; |
| 254 | const char *identityFile; |
| 255 | |
| 256 | if( sslIsInit==0 ){ |
| 257 | SSL_library_init(); |
| 258 | SSL_load_error_strings(); |
| @@ -266,10 +266,12 @@ | |
| 266 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 267 | /* CA location not specified, use platform's default certificate store */ |
| 268 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 269 | }else{ |
| 270 | /* User has specified a CA location, make sure it exists and use it */ |
| 271 | switch( file_isdir(zCaSetting, ExtFILE) ){ |
| 272 | case 0: { /* doesn't exist */ |
| 273 | fossil_fatal("ssl-ca-location is set to '%s', " |
| 274 | "but is not a file or directory", zCaSetting); |
| 275 | break; |
| @@ -854,10 +856,22 @@ | |
| 854 | return n; |
| 855 | } |
| 856 | } |
| 857 | |
| 858 | #endif /* FOSSIL_ENABLE_SSL */ |
| 859 | |
| 860 | /* |
| 861 | ** COMMAND: tls-config* |
| 862 | ** COMMAND: ssl-config |
| 863 | ** |
| @@ -882,10 +896,11 @@ | |
| 882 | */ |
| 883 | void test_tlsconfig_info(void){ |
| 884 | const char *zCmd; |
| 885 | size_t nCmd; |
| 886 | int nHit = 0; |
| 887 | db_find_and_open_repository(OPEN_OK_NOT_FOUND|OPEN_SUBSTITUTE,0); |
| 888 | db_open_config(1,0); |
| 889 | if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){ |
| 890 | zCmd = "show"; |
| 891 | nCmd = 4; |
| @@ -914,76 +929,100 @@ | |
| 914 | ); |
| 915 | db_protect_pop(); |
| 916 | }else |
| 917 | if( strncmp("show",zCmd,nCmd)==0 ){ |
| 918 | const char *zName, *zValue; |
| 919 | size_t nName; |
| 920 | Stmt q; |
| 921 | int verbose = find_option("verbose","v",0)!=0; |
| 922 | verify_all_options(); |
| 923 | |
| 924 | #if !defined(FOSSIL_ENABLE_SSL) |
| 925 | fossil_print("OpenSSL-version: (none)\n"); |
| 926 | if( verbose ){ |
| 927 | fossil_print("\n" |
| 928 | " The OpenSSL library is not used by this build of Fossil\n\n" |
| 929 | ); |
| 930 | } |
| 931 | #else |
| 932 | fossil_print("OpenSSL-version: %s (0x%09x)\n", |
| 933 | SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); |
| 934 | if( verbose ){ |
| 935 | fossil_print("\n" |
| 936 | " The version of the OpenSSL library being used\n" |
| 937 | " by this instance of Fossil. Version 3.0.0 or\n" |
| 938 | " later is recommended.\n\n" |
| 939 | ); |
| 940 | } |
| 941 | |
| 942 | fossil_print("OpenSSL-cert-file: %s\n", X509_get_default_cert_file()); |
| 943 | fossil_print("OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); |
| 944 | if( verbose ){ |
| 945 | fossil_print("\n" |
| 946 | " The default locations for the set of root certificates\n" |
| 947 | " used by the \"fossil sync\" and similar commands to verify\n" |
| 948 | " the identity of servers for \"https:\" URLs. These values\n" |
| 949 | " come into play when Fossil is used as a TLS client. These\n" |
| 950 | " values are built into your OpenSSL library.\n\n" |
| 951 | ); |
| 952 | } |
| 953 | |
| 954 | zName = X509_get_default_cert_file_env(); |
| 955 | zValue = fossil_getenv(zName); |
| 956 | if( zValue==0 ) zValue = ""; |
| 957 | nName = strlen(zName); |
| 958 | fossil_print("%s:%*s%s\n", zName, 18-nName, "", zValue); |
| 959 | zName = X509_get_default_cert_dir_env(); |
| 960 | zValue = fossil_getenv(zName); |
| 961 | if( zValue==0 ) zValue = ""; |
| 962 | nName = strlen(zName); |
| 963 | fossil_print("%s:%*s%s\n", zName, 18-nName, "", zValue); |
| 964 | if( verbose ){ |
| 965 | fossil_print("\n" |
| 966 | " Alternative locations for the root certificates used by Fossil\n" |
| 967 | " when it is acting as a SSL client in order to verify the identity\n" |
| 968 | " of servers. If specified, these alternative locations override\n" |
| 969 | " the built-in locations.\n\n" |
| 970 | ); |
| 971 | } |
| 972 | #endif /* FOSSIL_ENABLE_SSL */ |
| 973 | |
| 974 | fossil_print("ssl-ca-location: %s\n", db_get("ssl-ca-location","")); |
| 975 | if( verbose ){ |
| 976 | fossil_print("\n" |
| 977 | " This setting is the name of a file or directory that contains\n" |
| 978 | " the complete set of root certificates used by Fossil when it\n" |
| 979 | " is acting as a SSL client. If defined, this setting takes\n" |
| 980 | " priority over built-in paths and environment variables\n\n" |
| 981 | ); |
| 982 | } |
| 983 | |
| 984 | fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); |
| 985 | if( verbose ){ |
| 986 | fossil_print("\n" |
| 987 | " This setting is the name of a file that contains the PEM-format\n" |
| 988 | " certificate and private-key used by Fossil clients to authenticate\n" |
| 989 | " with servers. Few servers actually require this, so this setting\n" |
| @@ -990,21 +1029,29 @@ | |
| 990 | " is usually blank.\n\n" |
| 991 | ); |
| 992 | } |
| 993 | |
| 994 | db_prepare(&q, |
| 995 | "SELECT name, '' FROM global_config" |
| 996 | " WHERE name GLOB 'cert:*'" |
| 997 | "UNION ALL " |
| 998 | "SELECT name, date(mtime,'unixepoch') FROM config" |
| 999 | " WHERE name GLOB 'cert:*'" |
| 1000 | " ORDER BY name" |
| 1001 | ); |
| 1002 | nHit = 0; |
| 1003 | while( db_step(&q)==SQLITE_ROW ){ |
| 1004 | fossil_print("exception: %-40s %s\n", |
| 1005 | db_column_text(&q,0)+5, db_column_text(&q,1)); |
| 1006 | nHit++; |
| 1007 | } |
| 1008 | db_finalize(&q); |
| 1009 | if( nHit && verbose ){ |
| 1010 | fossil_print("\n" |
| 1011 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -248,11 +248,11 @@ | |
| 248 | /* |
| 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | ** This routine does initial configuration of the SSL module. |
| 251 | */ |
| 252 | static void ssl_global_init_client(void){ |
| 253 | const char *zCaSetting = 0; |
| 254 | const char *identityFile; |
| 255 | |
| 256 | if( sslIsInit==0 ){ |
| 257 | SSL_library_init(); |
| 258 | SSL_load_error_strings(); |
| @@ -266,10 +266,12 @@ | |
| 266 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 267 | /* CA location not specified, use platform's default certificate store */ |
| 268 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 269 | }else{ |
| 270 | /* User has specified a CA location, make sure it exists and use it */ |
| 271 | const char *zCaFile = 0; |
| 272 | const char *zCaDirectory = 0; |
| 273 | switch( file_isdir(zCaSetting, ExtFILE) ){ |
| 274 | case 0: { /* doesn't exist */ |
| 275 | fossil_fatal("ssl-ca-location is set to '%s', " |
| 276 | "but is not a file or directory", zCaSetting); |
| 277 | break; |
| @@ -854,10 +856,22 @@ | |
| 856 | return n; |
| 857 | } |
| 858 | } |
| 859 | |
| 860 | #endif /* FOSSIL_ENABLE_SSL */ |
| 861 | |
| 862 | /* |
| 863 | ** zPath is a name that might be a file or directory containing a trust |
| 864 | ** store. *pzStore is the name of the trust store to actually use. |
| 865 | ** |
| 866 | ** If *pzStore is not NULL (meaning no trust store has been found yet) |
| 867 | ** and if zPath exists, then set *pzStore to point to zPath. |
| 868 | */ |
| 869 | static void trust_location_usable(const char *zPath, const char **pzStore){ |
| 870 | if( *pzStore!=0 ) return; |
| 871 | if( file_isdir(zPath, ExtFILE)>0 ) *pzStore = zPath; |
| 872 | } |
| 873 | |
| 874 | /* |
| 875 | ** COMMAND: tls-config* |
| 876 | ** COMMAND: ssl-config |
| 877 | ** |
| @@ -882,10 +896,11 @@ | |
| 896 | */ |
| 897 | void test_tlsconfig_info(void){ |
| 898 | const char *zCmd; |
| 899 | size_t nCmd; |
| 900 | int nHit = 0; |
| 901 | |
| 902 | db_find_and_open_repository(OPEN_OK_NOT_FOUND|OPEN_SUBSTITUTE,0); |
| 903 | db_open_config(1,0); |
| 904 | if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){ |
| 905 | zCmd = "show"; |
| 906 | nCmd = 4; |
| @@ -914,76 +929,100 @@ | |
| 929 | ); |
| 930 | db_protect_pop(); |
| 931 | }else |
| 932 | if( strncmp("show",zCmd,nCmd)==0 ){ |
| 933 | const char *zName, *zValue; |
| 934 | const char *zUsed = 0; /* Trust store location actually used */ |
| 935 | size_t nName; |
| 936 | Stmt q; |
| 937 | int verbose = find_option("verbose","v",0)!=0; |
| 938 | verify_all_options(); |
| 939 | |
| 940 | #if !defined(FOSSIL_ENABLE_SSL) |
| 941 | fossil_print("OpenSSL-version: (none)\n"); |
| 942 | if( verbose ){ |
| 943 | fossil_print("\n" |
| 944 | " The OpenSSL library is not used by this build of Fossil\n\n" |
| 945 | ); |
| 946 | } |
| 947 | #else |
| 948 | fossil_print("OpenSSL-version: %s (0x%09x)\n", |
| 949 | SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); |
| 950 | if( verbose ){ |
| 951 | fossil_print("\n" |
| 952 | " The version of the OpenSSL library being used\n" |
| 953 | " by this instance of Fossil. Version 3.0.0 or\n" |
| 954 | " later is recommended.\n\n" |
| 955 | ); |
| 956 | } |
| 957 | |
| 958 | fossil_print("Trust store location\n"); |
| 959 | zValue = db_get("ssl-ca-location",""); |
| 960 | trust_location_usable(zValue, &zUsed); |
| 961 | fossil_print(" ssl-ca-location: %s\n", zValue); |
| 962 | if( verbose ){ |
| 963 | fossil_print("\n" |
| 964 | " This setting is the name of a file or directory that contains\n" |
| 965 | " the complete set of root certificates used by Fossil when it\n" |
| 966 | " is acting as a SSL client. If defined, this setting takes\n" |
| 967 | " priority over built-in paths and environment variables\n\n" |
| 968 | ); |
| 969 | } |
| 970 | |
| 971 | zName = X509_get_default_cert_file_env(); |
| 972 | zValue = fossil_getenv(zName); |
| 973 | if( zValue==0 ) zValue = ""; |
| 974 | trust_location_usable(zValue, &zUsed); |
| 975 | nName = strlen(zName); |
| 976 | fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); |
| 977 | zName = X509_get_default_cert_dir_env(); |
| 978 | zValue = fossil_getenv(zName); |
| 979 | if( zValue==0 ) zValue = ""; |
| 980 | trust_location_usable(zValue, &zUsed); |
| 981 | nName = strlen(zName); |
| 982 | fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); |
| 983 | if( verbose ){ |
| 984 | fossil_print("\n" |
| 985 | " Environment variables that determine alternative locations for\n" |
| 986 | " the root certificates used by Fossil when it is acting as a SSL\n" |
| 987 | " client. If specified, these alternative locations override\n" |
| 988 | " the built-in locations.\n\n" |
| 989 | ); |
| 990 | } |
| 991 | |
| 992 | zValue = X509_get_default_cert_file(); |
| 993 | trust_location_usable(zValue, &zUsed); |
| 994 | fossil_print(" OpenSSL-cert-file: %s\n", zValue); |
| 995 | zValue = X509_get_default_cert_dir(); |
| 996 | trust_location_usable(zValue, &zUsed); |
| 997 | fossil_print(" OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); |
| 998 | if( verbose ){ |
| 999 | fossil_print("\n" |
| 1000 | " The default locations for the set of root certificates\n" |
| 1001 | " used by the \"fossil sync\" and similar commands to verify\n" |
| 1002 | " the identity of servers for \"https:\" URLs. These values\n" |
| 1003 | " come into play when Fossil is used as a TLS client. These\n" |
| 1004 | " values are built into your OpenSSL library.\n\n" |
| 1005 | ); |
| 1006 | } |
| 1007 | |
| 1008 | if( zUsed==0 ) zUsed = ""; |
| 1009 | fossil_print(" Trust store used: %s\n", zUsed); |
| 1010 | if( verbose ){ |
| 1011 | fossil_print("\n" |
| 1012 | " The location that is actually used for the root certificates\n" |
| 1013 | " used to verify the identity of servers for \"https:\" URLs.\n" |
| 1014 | " This will be one of the first of the five locations listed\n" |
| 1015 | " above that actually exists.\n\n" |
| 1016 | ); |
| 1017 | } |
| 1018 | |
| 1019 | |
| 1020 | #endif /* FOSSIL_ENABLE_SSL */ |
| 1021 | |
| 1022 | |
| 1023 | fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); |
| 1024 | if( verbose ){ |
| 1025 | fossil_print("\n" |
| 1026 | " This setting is the name of a file that contains the PEM-format\n" |
| 1027 | " certificate and private-key used by Fossil clients to authenticate\n" |
| 1028 | " with servers. Few servers actually require this, so this setting\n" |
| @@ -990,21 +1029,29 @@ | |
| 1029 | " is usually blank.\n\n" |
| 1030 | ); |
| 1031 | } |
| 1032 | |
| 1033 | db_prepare(&q, |
| 1034 | "SELECT name, '', value FROM global_config" |
| 1035 | " WHERE name GLOB 'cert:*'" |
| 1036 | "UNION ALL " |
| 1037 | "SELECT name, date(mtime,'unixepoch'), value FROM config" |
| 1038 | " WHERE name GLOB 'cert:*'" |
| 1039 | " ORDER BY name" |
| 1040 | ); |
| 1041 | nHit = 0; |
| 1042 | while( db_step(&q)==SQLITE_ROW ){ |
| 1043 | /* 123456789 123456789 123456789 */ |
| 1044 | if( verbose ){ |
| 1045 | fossil_print("exception: %-40s %s\n" |
| 1046 | " hash: %.57s\n", |
| 1047 | db_column_text(&q,0)+5, db_column_text(&q,1), |
| 1048 | db_column_text(&q,2)); |
| 1049 | }else{ |
| 1050 | fossil_print("exception: %-40s %s\n", |
| 1051 | db_column_text(&q,0)+5, db_column_text(&q,1)); |
| 1052 | } |
| 1053 | nHit++; |
| 1054 | } |
| 1055 | db_finalize(&q); |
| 1056 | if( nHit && verbose ){ |
| 1057 | fossil_print("\n" |
| 1058 |