Fossil SCM
Assorted fixes and improvements to the ssl.wiki doc
Commit
27458ef7ba9e655637239a27e2ea8514007a465b0127bf130efc441a21169289
Parent
716ae7c06994b8e…
1 file changed
+15
-16
+15
-16
| --- www/ssl.wiki | ||
| +++ www/ssl.wiki | ||
| @@ -17,15 +17,14 @@ | ||
| 17 | 17 | There are two major aspects to this, both of which have to be addressed |
| 18 | 18 | in different ways. Those are the subjects of the next two major |
| 19 | 19 | sections. |
| 20 | 20 | |
| 21 | 21 | |
| 22 | -<h2 id="client">Fossil TLS Configuration: Client Side</h2> | |
| 22 | +<h2 id="client">Client-Side Configuration</h2> | |
| 23 | 23 | |
| 24 | -Fossil itself has built-in support for TLS on the client side only. That | |
| 25 | -is to say, you can build it against [https://www.openssl.org/|the | |
| 26 | -OpenSSL library], which will allow it to clone and sync with a remote | |
| 24 | +You can build Fossil against [https://www.openssl.org/ | | |
| 25 | +OpenSSL] to allow it to clone and sync with a remote | |
| 27 | 26 | Fossil repository via <tt>https</tt> URIs. |
| 28 | 27 | |
| 29 | 28 | |
| 30 | 29 | <h3 id="openssl-bin">Building Against OpenSSL Automatically</h3> |
| 31 | 30 | |
| @@ -36,11 +35,11 @@ | ||
| 36 | 35 | |
| 37 | 36 | If it can't find the files it needs, the most common solution is to |
| 38 | 37 | install the OpenSSL development package on your system via your OS's |
| 39 | 38 | package manager. Examples: |
| 40 | 39 | |
| 41 | - * <b>RHEL & Fedora</b>: <tt>sudo yum install openssl-devel</tt> | |
| 40 | + * <b>RHEL & Fedora</b>: <tt>sudo dnf install openssl-devel</tt> | |
| 42 | 41 | * <b>Debian & Ubuntu</b>: <tt>sudo apt install libssl-dev</tt> |
| 43 | 42 | * <b>FreeBSD</b>: <tt>su -c 'pkg install openssl'</tt> |
| 44 | 43 | * <b>macOS</b>: <tt>sudo brew install openssl</tt> |
| 45 | 44 | * <b>Cygwin</b>: Install <tt>openssl-devel</tt> via Cygwin's |
| 46 | 45 | <tt>setup-*.exe</tt> program |
| @@ -224,19 +223,19 @@ | ||
| 224 | 223 | If you attempt to connect to a server which requests a client |
| 225 | 224 | certificate, but don't provide one, fossil will show an error message |
| 226 | 225 | which explains what to do to authenticate with the server. |
| 227 | 226 | |
| 228 | 227 | |
| 229 | -<h2 id="server">Fossil TLS Configuration: Server Side</h2> | |
| 230 | - | |
| 231 | -Fossil's built-in HTTP server feature did not add [./ssl-server.md|support HTTP over TLS] | |
| 232 | -(a.k.a. HTTPS) until version 2.18 (early 2022). Prior to that, system | |
| 233 | -administrators that wanted to add HTTPS support to a Fossil server had | |
| 234 | -to put Fossil behind a web-server or reverse-proxy that would do the | |
| 235 | -HTTPS to HTTP translation. [./server/ | Instructions for doing so] | |
| 236 | -are found elsewhere in this documentation. A few of the most useful | |
| 237 | -of these are: | |
| 228 | +<h2 id="server">Server-Side Configuration</h2> | |
| 229 | + | |
| 230 | +Fossil's built-in HTTP server got [./ssl-server.md | TLS support] in | |
| 231 | +December 2021, released as version 2.18 in early 2022. Prior to that, | |
| 232 | +system administrators that wanted to add TLS support to a Fossil server | |
| 233 | +had to put it behind a reverse proxy that would do the translation. | |
| 234 | +Since advantages remain for delegating TLS to another layer in the | |
| 235 | +stack, instructions for doing so continue to be included in our | |
| 236 | +documentation, such as: | |
| 238 | 237 | |
| 239 | 238 | * <a id="stunnel" href="./server/any/stunnel.md">Serving via stunnel</a> |
| 240 | 239 | * <a id="althttpd" href="./server/any/althttpd.md">Serving via stunnel + althttpd</a> |
| 241 | 240 | * <a id="nginx" href="./server/debian/nginx.md#tls">Serving via SCGI with nginx on Debian</a> |
| 242 | 241 | |
| @@ -287,11 +286,11 @@ | ||
| 287 | 286 | fix the setting, and then upload it to the repository server |
| 288 | 287 | again.</p> |
| 289 | 288 | |
| 290 | 289 | It's best to enforce TLS-only access at the front-end proxy level |
| 291 | 290 | anyway. It not only avoids the problem entirely, it can be significantly |
| 292 | -more secure. The [server/debian/nginx.md#tls | nginx-on-Debian proxy guide] shows one way | |
| 291 | +more secure. The [./server/debian/nginx.md#tls | nginx-on-Debian proxy guide] shows one way | |
| 293 | 292 | to achieve this.</p> |
| 294 | 293 | |
| 295 | 294 | |
| 296 | 295 | <h2>Terminology Note</h2> |
| 297 | 296 | |
| @@ -303,9 +302,9 @@ | ||
| 303 | 302 | |
| 304 | 303 | Some people still use the term "SSL" when they actually mean "TLS," but |
| 305 | 304 | in the Fossil project, we always use "TLS" except when we must preserve |
| 306 | 305 | some sort of historical compatibility, as with this document's name in |
| 307 | 306 | order to avoid broken external URLs. The Fossil TLS-related settings |
| 308 | -also often use "<tt>ssl</tt>" in their names, for the same reason. | |
| 307 | +also often use "<tt>ssl</tt>" in their names for the same reason. | |
| 309 | 308 | |
| 310 | 309 | This series of protocols is also called "HTTPS" after the URI scheme |
| 311 | 310 | used to specify "HTTP over TLS." |
| 312 | 311 |
| --- www/ssl.wiki | |
| +++ www/ssl.wiki | |
| @@ -17,15 +17,14 @@ | |
| 17 | There are two major aspects to this, both of which have to be addressed |
| 18 | in different ways. Those are the subjects of the next two major |
| 19 | sections. |
| 20 | |
| 21 | |
| 22 | <h2 id="client">Fossil TLS Configuration: Client Side</h2> |
| 23 | |
| 24 | Fossil itself has built-in support for TLS on the client side only. That |
| 25 | is to say, you can build it against [https://www.openssl.org/|the |
| 26 | OpenSSL library], which will allow it to clone and sync with a remote |
| 27 | Fossil repository via <tt>https</tt> URIs. |
| 28 | |
| 29 | |
| 30 | <h3 id="openssl-bin">Building Against OpenSSL Automatically</h3> |
| 31 | |
| @@ -36,11 +35,11 @@ | |
| 36 | |
| 37 | If it can't find the files it needs, the most common solution is to |
| 38 | install the OpenSSL development package on your system via your OS's |
| 39 | package manager. Examples: |
| 40 | |
| 41 | * <b>RHEL & Fedora</b>: <tt>sudo yum install openssl-devel</tt> |
| 42 | * <b>Debian & Ubuntu</b>: <tt>sudo apt install libssl-dev</tt> |
| 43 | * <b>FreeBSD</b>: <tt>su -c 'pkg install openssl'</tt> |
| 44 | * <b>macOS</b>: <tt>sudo brew install openssl</tt> |
| 45 | * <b>Cygwin</b>: Install <tt>openssl-devel</tt> via Cygwin's |
| 46 | <tt>setup-*.exe</tt> program |
| @@ -224,19 +223,19 @@ | |
| 224 | If you attempt to connect to a server which requests a client |
| 225 | certificate, but don't provide one, fossil will show an error message |
| 226 | which explains what to do to authenticate with the server. |
| 227 | |
| 228 | |
| 229 | <h2 id="server">Fossil TLS Configuration: Server Side</h2> |
| 230 | |
| 231 | Fossil's built-in HTTP server feature did not add [./ssl-server.md|support HTTP over TLS] |
| 232 | (a.k.a. HTTPS) until version 2.18 (early 2022). Prior to that, system |
| 233 | administrators that wanted to add HTTPS support to a Fossil server had |
| 234 | to put Fossil behind a web-server or reverse-proxy that would do the |
| 235 | HTTPS to HTTP translation. [./server/ | Instructions for doing so] |
| 236 | are found elsewhere in this documentation. A few of the most useful |
| 237 | of these are: |
| 238 | |
| 239 | * <a id="stunnel" href="./server/any/stunnel.md">Serving via stunnel</a> |
| 240 | * <a id="althttpd" href="./server/any/althttpd.md">Serving via stunnel + althttpd</a> |
| 241 | * <a id="nginx" href="./server/debian/nginx.md#tls">Serving via SCGI with nginx on Debian</a> |
| 242 | |
| @@ -287,11 +286,11 @@ | |
| 287 | fix the setting, and then upload it to the repository server |
| 288 | again.</p> |
| 289 | |
| 290 | It's best to enforce TLS-only access at the front-end proxy level |
| 291 | anyway. It not only avoids the problem entirely, it can be significantly |
| 292 | more secure. The [server/debian/nginx.md#tls | nginx-on-Debian proxy guide] shows one way |
| 293 | to achieve this.</p> |
| 294 | |
| 295 | |
| 296 | <h2>Terminology Note</h2> |
| 297 | |
| @@ -303,9 +302,9 @@ | |
| 303 | |
| 304 | Some people still use the term "SSL" when they actually mean "TLS," but |
| 305 | in the Fossil project, we always use "TLS" except when we must preserve |
| 306 | some sort of historical compatibility, as with this document's name in |
| 307 | order to avoid broken external URLs. The Fossil TLS-related settings |
| 308 | also often use "<tt>ssl</tt>" in their names, for the same reason. |
| 309 | |
| 310 | This series of protocols is also called "HTTPS" after the URI scheme |
| 311 | used to specify "HTTP over TLS." |
| 312 |
| --- www/ssl.wiki | |
| +++ www/ssl.wiki | |
| @@ -17,15 +17,14 @@ | |
| 17 | There are two major aspects to this, both of which have to be addressed |
| 18 | in different ways. Those are the subjects of the next two major |
| 19 | sections. |
| 20 | |
| 21 | |
| 22 | <h2 id="client">Client-Side Configuration</h2> |
| 23 | |
| 24 | You can build Fossil against [https://www.openssl.org/ | |
| 25 | OpenSSL] to allow it to clone and sync with a remote |
| 26 | Fossil repository via <tt>https</tt> URIs. |
| 27 | |
| 28 | |
| 29 | <h3 id="openssl-bin">Building Against OpenSSL Automatically</h3> |
| 30 | |
| @@ -36,11 +35,11 @@ | |
| 35 | |
| 36 | If it can't find the files it needs, the most common solution is to |
| 37 | install the OpenSSL development package on your system via your OS's |
| 38 | package manager. Examples: |
| 39 | |
| 40 | * <b>RHEL & Fedora</b>: <tt>sudo dnf install openssl-devel</tt> |
| 41 | * <b>Debian & Ubuntu</b>: <tt>sudo apt install libssl-dev</tt> |
| 42 | * <b>FreeBSD</b>: <tt>su -c 'pkg install openssl'</tt> |
| 43 | * <b>macOS</b>: <tt>sudo brew install openssl</tt> |
| 44 | * <b>Cygwin</b>: Install <tt>openssl-devel</tt> via Cygwin's |
| 45 | <tt>setup-*.exe</tt> program |
| @@ -224,19 +223,19 @@ | |
| 223 | If you attempt to connect to a server which requests a client |
| 224 | certificate, but don't provide one, fossil will show an error message |
| 225 | which explains what to do to authenticate with the server. |
| 226 | |
| 227 | |
| 228 | <h2 id="server">Server-Side Configuration</h2> |
| 229 | |
| 230 | Fossil's built-in HTTP server got [./ssl-server.md | TLS support] in |
| 231 | December 2021, released as version 2.18 in early 2022. Prior to that, |
| 232 | system administrators that wanted to add TLS support to a Fossil server |
| 233 | had to put it behind a reverse proxy that would do the translation. |
| 234 | Since advantages remain for delegating TLS to another layer in the |
| 235 | stack, instructions for doing so continue to be included in our |
| 236 | documentation, such as: |
| 237 | |
| 238 | * <a id="stunnel" href="./server/any/stunnel.md">Serving via stunnel</a> |
| 239 | * <a id="althttpd" href="./server/any/althttpd.md">Serving via stunnel + althttpd</a> |
| 240 | * <a id="nginx" href="./server/debian/nginx.md#tls">Serving via SCGI with nginx on Debian</a> |
| 241 | |
| @@ -287,11 +286,11 @@ | |
| 286 | fix the setting, and then upload it to the repository server |
| 287 | again.</p> |
| 288 | |
| 289 | It's best to enforce TLS-only access at the front-end proxy level |
| 290 | anyway. It not only avoids the problem entirely, it can be significantly |
| 291 | more secure. The [./server/debian/nginx.md#tls | nginx-on-Debian proxy guide] shows one way |
| 292 | to achieve this.</p> |
| 293 | |
| 294 | |
| 295 | <h2>Terminology Note</h2> |
| 296 | |
| @@ -303,9 +302,9 @@ | |
| 302 | |
| 303 | Some people still use the term "SSL" when they actually mean "TLS," but |
| 304 | in the Fossil project, we always use "TLS" except when we must preserve |
| 305 | some sort of historical compatibility, as with this document's name in |
| 306 | order to avoid broken external URLs. The Fossil TLS-related settings |
| 307 | also often use "<tt>ssl</tt>" in their names for the same reason. |
| 308 | |
| 309 | This series of protocols is also called "HTTPS" after the URI scheme |
| 310 | used to specify "HTTP over TLS." |
| 311 |