Fossil SCM
Add the test-trust-store command for debugging TLS problems.
Commit
28ea88e77039030fe7cd5d8a381a12f4c8613269dd925ccdda30b4bc4fa6923b
Parent
6bb5ff4aeab1b81…
1 file changed
+20
-2
+20
-2
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -247,11 +247,11 @@ | ||
| 247 | 247 | |
| 248 | 248 | /* |
| 249 | 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | 250 | ** This routine does initial configuration of the SSL module. |
| 251 | 251 | */ |
| 252 | -static void ssl_global_init_client(void){ | |
| 252 | +static void ssl_global_init_client(int bDebug){ | |
| 253 | 253 | const char *identityFile; |
| 254 | 254 | |
| 255 | 255 | if( sslIsInit==0 ){ |
| 256 | 256 | const char *zFile; |
| 257 | 257 | const char *zCaFile = 0; |
| @@ -302,10 +302,14 @@ | ||
| 302 | 302 | zCaDirectory = 0; |
| 303 | 303 | break; |
| 304 | 304 | } |
| 305 | 305 | } |
| 306 | 306 | } |
| 307 | + if( bDebug ){ | |
| 308 | + fossil_print("zCaFile = %s\n" | |
| 309 | + "zCaDirectory = %s\n", zCaFile, zCaDirectory); | |
| 310 | + } | |
| 307 | 311 | if( zFile==0 ){ |
| 308 | 312 | /* fossil_fatal("Cannot find a trust store"); */ |
| 309 | 313 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 310 | 314 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 311 | 315 | } |
| @@ -332,10 +336,13 @@ | ||
| 332 | 336 | if( g.zSSLIdentity!=0 ){ |
| 333 | 337 | identityFile = g.zSSLIdentity; |
| 334 | 338 | }else{ |
| 335 | 339 | identityFile = db_get("ssl-identity", 0); |
| 336 | 340 | } |
| 341 | + if( bDebug ){ | |
| 342 | + fossil_print("identifyFile = %s\n", identityFile); | |
| 343 | + } | |
| 337 | 344 | if( identityFile!=0 && identityFile[0]!='\0' ){ |
| 338 | 345 | if( SSL_CTX_use_certificate_chain_file(sslCtx,identityFile)!=1 |
| 339 | 346 | || SSL_CTX_use_PrivateKey_file(sslCtx,identityFile,SSL_FILETYPE_PEM)!=1 |
| 340 | 347 | ){ |
| 341 | 348 | fossil_fatal("Could not load SSL identity from %s", identityFile); |
| @@ -359,10 +366,21 @@ | ||
| 359 | 366 | SSL_CTX_free(sslCtx); |
| 360 | 367 | ssl_clear_errmsg(); |
| 361 | 368 | sslIsInit = 0; |
| 362 | 369 | } |
| 363 | 370 | } |
| 371 | + | |
| 372 | +/* | |
| 373 | +** COMMAND: test-trust-store | |
| 374 | +** | |
| 375 | +** Show the trust store that is used by OpenSSL. | |
| 376 | +*/ | |
| 377 | +void test_openssl_trust_store(void){ | |
| 378 | + ssl_global_init_client(1); | |
| 379 | + ssl_global_shutdown(); | |
| 380 | +} | |
| 381 | + | |
| 364 | 382 | |
| 365 | 383 | /* |
| 366 | 384 | ** Close the currently open client SSL connection. If no connection is open, |
| 367 | 385 | ** this routine is a no-op. |
| 368 | 386 | */ |
| @@ -446,11 +464,11 @@ | ||
| 446 | 464 | */ |
| 447 | 465 | int ssl_open_client(UrlData *pUrlData){ |
| 448 | 466 | X509 *cert; |
| 449 | 467 | const char *zRemoteHost; |
| 450 | 468 | |
| 451 | - ssl_global_init_client(); | |
| 469 | + ssl_global_init_client(0); | |
| 452 | 470 | if( pUrlData->useProxy ){ |
| 453 | 471 | int rc; |
| 454 | 472 | char *connStr = mprintf("%s:%d", g.url.name, pUrlData->port); |
| 455 | 473 | BIO *sBio = BIO_new_connect(connStr); |
| 456 | 474 | free(connStr); |
| 457 | 475 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -247,11 +247,11 @@ | |
| 247 | |
| 248 | /* |
| 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | ** This routine does initial configuration of the SSL module. |
| 251 | */ |
| 252 | static void ssl_global_init_client(void){ |
| 253 | const char *identityFile; |
| 254 | |
| 255 | if( sslIsInit==0 ){ |
| 256 | const char *zFile; |
| 257 | const char *zCaFile = 0; |
| @@ -302,10 +302,14 @@ | |
| 302 | zCaDirectory = 0; |
| 303 | break; |
| 304 | } |
| 305 | } |
| 306 | } |
| 307 | if( zFile==0 ){ |
| 308 | /* fossil_fatal("Cannot find a trust store"); */ |
| 309 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 310 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 311 | } |
| @@ -332,10 +336,13 @@ | |
| 332 | if( g.zSSLIdentity!=0 ){ |
| 333 | identityFile = g.zSSLIdentity; |
| 334 | }else{ |
| 335 | identityFile = db_get("ssl-identity", 0); |
| 336 | } |
| 337 | if( identityFile!=0 && identityFile[0]!='\0' ){ |
| 338 | if( SSL_CTX_use_certificate_chain_file(sslCtx,identityFile)!=1 |
| 339 | || SSL_CTX_use_PrivateKey_file(sslCtx,identityFile,SSL_FILETYPE_PEM)!=1 |
| 340 | ){ |
| 341 | fossil_fatal("Could not load SSL identity from %s", identityFile); |
| @@ -359,10 +366,21 @@ | |
| 359 | SSL_CTX_free(sslCtx); |
| 360 | ssl_clear_errmsg(); |
| 361 | sslIsInit = 0; |
| 362 | } |
| 363 | } |
| 364 | |
| 365 | /* |
| 366 | ** Close the currently open client SSL connection. If no connection is open, |
| 367 | ** this routine is a no-op. |
| 368 | */ |
| @@ -446,11 +464,11 @@ | |
| 446 | */ |
| 447 | int ssl_open_client(UrlData *pUrlData){ |
| 448 | X509 *cert; |
| 449 | const char *zRemoteHost; |
| 450 | |
| 451 | ssl_global_init_client(); |
| 452 | if( pUrlData->useProxy ){ |
| 453 | int rc; |
| 454 | char *connStr = mprintf("%s:%d", g.url.name, pUrlData->port); |
| 455 | BIO *sBio = BIO_new_connect(connStr); |
| 456 | free(connStr); |
| 457 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -247,11 +247,11 @@ | |
| 247 | |
| 248 | /* |
| 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | ** This routine does initial configuration of the SSL module. |
| 251 | */ |
| 252 | static void ssl_global_init_client(int bDebug){ |
| 253 | const char *identityFile; |
| 254 | |
| 255 | if( sslIsInit==0 ){ |
| 256 | const char *zFile; |
| 257 | const char *zCaFile = 0; |
| @@ -302,10 +302,14 @@ | |
| 302 | zCaDirectory = 0; |
| 303 | break; |
| 304 | } |
| 305 | } |
| 306 | } |
| 307 | if( bDebug ){ |
| 308 | fossil_print("zCaFile = %s\n" |
| 309 | "zCaDirectory = %s\n", zCaFile, zCaDirectory); |
| 310 | } |
| 311 | if( zFile==0 ){ |
| 312 | /* fossil_fatal("Cannot find a trust store"); */ |
| 313 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 314 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 315 | } |
| @@ -332,10 +336,13 @@ | |
| 336 | if( g.zSSLIdentity!=0 ){ |
| 337 | identityFile = g.zSSLIdentity; |
| 338 | }else{ |
| 339 | identityFile = db_get("ssl-identity", 0); |
| 340 | } |
| 341 | if( bDebug ){ |
| 342 | fossil_print("identifyFile = %s\n", identityFile); |
| 343 | } |
| 344 | if( identityFile!=0 && identityFile[0]!='\0' ){ |
| 345 | if( SSL_CTX_use_certificate_chain_file(sslCtx,identityFile)!=1 |
| 346 | || SSL_CTX_use_PrivateKey_file(sslCtx,identityFile,SSL_FILETYPE_PEM)!=1 |
| 347 | ){ |
| 348 | fossil_fatal("Could not load SSL identity from %s", identityFile); |
| @@ -359,10 +366,21 @@ | |
| 366 | SSL_CTX_free(sslCtx); |
| 367 | ssl_clear_errmsg(); |
| 368 | sslIsInit = 0; |
| 369 | } |
| 370 | } |
| 371 | |
| 372 | /* |
| 373 | ** COMMAND: test-trust-store |
| 374 | ** |
| 375 | ** Show the trust store that is used by OpenSSL. |
| 376 | */ |
| 377 | void test_openssl_trust_store(void){ |
| 378 | ssl_global_init_client(1); |
| 379 | ssl_global_shutdown(); |
| 380 | } |
| 381 | |
| 382 | |
| 383 | /* |
| 384 | ** Close the currently open client SSL connection. If no connection is open, |
| 385 | ** this routine is a no-op. |
| 386 | */ |
| @@ -446,11 +464,11 @@ | |
| 464 | */ |
| 465 | int ssl_open_client(UrlData *pUrlData){ |
| 466 | X509 *cert; |
| 467 | const char *zRemoteHost; |
| 468 | |
| 469 | ssl_global_init_client(0); |
| 470 | if( pUrlData->useProxy ){ |
| 471 | int rc; |
| 472 | char *connStr = mprintf("%s:%d", g.url.name, pUrlData->port); |
| 473 | BIO *sBio = BIO_new_connect(connStr); |
| 474 | free(connStr); |
| 475 |