Fossil SCM
Disable the Windows root certificate store on OpenSSL 3.5.0, due to [https://github.com/openssl/openssl/issues/27355|OpenSSL bug #27355].
Commit
2b6ad00ea3a6b2e289b6c6a552db48f050f3d1c0d667a74aa5d3bca161935f28
Parent
278507e87115848…
1 file changed
+12
-12
+12
-12
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -319,11 +319,13 @@ | ||
| 319 | 319 | ** The following OpenSSL configuration options must not be used for this feature |
| 320 | 320 | ** to be available: `no-autoalginit', `no-winstore'. The Fossil makefiles do not |
| 321 | 321 | ** currently set these options when building OpenSSL for Windows. */ |
| 322 | 322 | #if defined(_WIN32) |
| 323 | 323 | #if OPENSSL_VERSION_NUMBER >= 0x030200000 |
| 324 | - if( SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:")==0 ){ | |
| 324 | + if( SSLeay()!=0x30500000 /* Don't use for 3.5.0 due to a bug */ | |
| 325 | + && SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:")==0 | |
| 326 | + ){ | |
| 325 | 327 | fossil_print("NOTICE: Failed to load the Windows root certificates.\n"); |
| 326 | 328 | } |
| 327 | 329 | #endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 328 | 330 | #endif /* _WIN32 */ |
| 329 | 331 | |
| @@ -999,12 +1001,12 @@ | ||
| 999 | 1001 | fossil_print("\n" |
| 1000 | 1002 | " The OpenSSL library is not used by this build of Fossil\n\n" |
| 1001 | 1003 | ); |
| 1002 | 1004 | } |
| 1003 | 1005 | #else |
| 1004 | - fossil_print("OpenSSL-version: %s (0x%09x)\n", | |
| 1005 | - SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); | |
| 1006 | + fossil_print("OpenSSL-version: %s (0x%09llx)\n", | |
| 1007 | + SSLeay_version(SSLEAY_VERSION), (unsigned long long)SSLeay()); | |
| 1006 | 1008 | if( verbose ){ |
| 1007 | 1009 | fossil_print("\n" |
| 1008 | 1010 | " The version of the OpenSSL library being used\n" |
| 1009 | 1011 | " by this instance of Fossil. Version 3.0.0 or\n" |
| 1010 | 1012 | " later is recommended.\n\n" |
| @@ -1061,20 +1063,18 @@ | ||
| 1061 | 1063 | " values are built into your OpenSSL library.\n\n" |
| 1062 | 1064 | ); |
| 1063 | 1065 | } |
| 1064 | 1066 | |
| 1065 | 1067 | #if defined(_WIN32) |
| 1066 | -#if OPENSSL_VERSION_NUMBER >= 0x030200000 | |
| 1067 | - fossil_print(" OpenSSL-winstore: Yes\n"); | |
| 1068 | -#else /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ | |
| 1069 | - fossil_print(" OpenSSL-winstore: No\n"); | |
| 1070 | -#endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ | |
| 1068 | + fossil_print(" OpenSSL-winstore: %s\n", | |
| 1069 | + (SSLeay()>=0x30200000 && SSLeay()!=0x30500000) ? "Yes" : "No"); | |
| 1071 | 1070 | if( verbose ){ |
| 1072 | 1071 | fossil_print("\n" |
| 1073 | - " OpenSSL 3.2.0, or newer, use the root certificates managed by\n" | |
| 1074 | - " the Windows operating system. The installed root certificates\n" | |
| 1075 | - " are listed by the command:\n\n" | |
| 1072 | + " OpenSSL 3.2.0, or newer, but not version 3.5.0 due to a bug,\n" | |
| 1073 | + " the root certificates are managed by the Windows operating\n" | |
| 1074 | + " system. The installed root certificates are listed by the\n" | |
| 1075 | + " command:\n\n" | |
| 1076 | 1076 | " certutil -store \"ROOT\"\n\n" |
| 1077 | 1077 | ); |
| 1078 | 1078 | } |
| 1079 | 1079 | #endif /* _WIN32 */ |
| 1080 | 1080 | |
| @@ -1232,10 +1232,10 @@ | ||
| 1232 | 1232 | ** freed by the caller. |
| 1233 | 1233 | */ |
| 1234 | 1234 | char *fossil_openssl_version(void){ |
| 1235 | 1235 | #if defined(FOSSIL_ENABLE_SSL) |
| 1236 | 1236 | return mprintf("%s (0x%09x)\n", |
| 1237 | - SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); | |
| 1237 | + SSLeay_version(SSLEAY_VERSION), (sqlite3_uint64)SSLeay()); | |
| 1238 | 1238 | #else |
| 1239 | 1239 | return mprintf("none"); |
| 1240 | 1240 | #endif |
| 1241 | 1241 | } |
| 1242 | 1242 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -319,11 +319,13 @@ | |
| 319 | ** The following OpenSSL configuration options must not be used for this feature |
| 320 | ** to be available: `no-autoalginit', `no-winstore'. The Fossil makefiles do not |
| 321 | ** currently set these options when building OpenSSL for Windows. */ |
| 322 | #if defined(_WIN32) |
| 323 | #if OPENSSL_VERSION_NUMBER >= 0x030200000 |
| 324 | if( SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:")==0 ){ |
| 325 | fossil_print("NOTICE: Failed to load the Windows root certificates.\n"); |
| 326 | } |
| 327 | #endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 328 | #endif /* _WIN32 */ |
| 329 | |
| @@ -999,12 +1001,12 @@ | |
| 999 | fossil_print("\n" |
| 1000 | " The OpenSSL library is not used by this build of Fossil\n\n" |
| 1001 | ); |
| 1002 | } |
| 1003 | #else |
| 1004 | fossil_print("OpenSSL-version: %s (0x%09x)\n", |
| 1005 | SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); |
| 1006 | if( verbose ){ |
| 1007 | fossil_print("\n" |
| 1008 | " The version of the OpenSSL library being used\n" |
| 1009 | " by this instance of Fossil. Version 3.0.0 or\n" |
| 1010 | " later is recommended.\n\n" |
| @@ -1061,20 +1063,18 @@ | |
| 1061 | " values are built into your OpenSSL library.\n\n" |
| 1062 | ); |
| 1063 | } |
| 1064 | |
| 1065 | #if defined(_WIN32) |
| 1066 | #if OPENSSL_VERSION_NUMBER >= 0x030200000 |
| 1067 | fossil_print(" OpenSSL-winstore: Yes\n"); |
| 1068 | #else /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 1069 | fossil_print(" OpenSSL-winstore: No\n"); |
| 1070 | #endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 1071 | if( verbose ){ |
| 1072 | fossil_print("\n" |
| 1073 | " OpenSSL 3.2.0, or newer, use the root certificates managed by\n" |
| 1074 | " the Windows operating system. The installed root certificates\n" |
| 1075 | " are listed by the command:\n\n" |
| 1076 | " certutil -store \"ROOT\"\n\n" |
| 1077 | ); |
| 1078 | } |
| 1079 | #endif /* _WIN32 */ |
| 1080 | |
| @@ -1232,10 +1232,10 @@ | |
| 1232 | ** freed by the caller. |
| 1233 | */ |
| 1234 | char *fossil_openssl_version(void){ |
| 1235 | #if defined(FOSSIL_ENABLE_SSL) |
| 1236 | return mprintf("%s (0x%09x)\n", |
| 1237 | SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER); |
| 1238 | #else |
| 1239 | return mprintf("none"); |
| 1240 | #endif |
| 1241 | } |
| 1242 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -319,11 +319,13 @@ | |
| 319 | ** The following OpenSSL configuration options must not be used for this feature |
| 320 | ** to be available: `no-autoalginit', `no-winstore'. The Fossil makefiles do not |
| 321 | ** currently set these options when building OpenSSL for Windows. */ |
| 322 | #if defined(_WIN32) |
| 323 | #if OPENSSL_VERSION_NUMBER >= 0x030200000 |
| 324 | if( SSLeay()!=0x30500000 /* Don't use for 3.5.0 due to a bug */ |
| 325 | && SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:")==0 |
| 326 | ){ |
| 327 | fossil_print("NOTICE: Failed to load the Windows root certificates.\n"); |
| 328 | } |
| 329 | #endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 330 | #endif /* _WIN32 */ |
| 331 | |
| @@ -999,12 +1001,12 @@ | |
| 1001 | fossil_print("\n" |
| 1002 | " The OpenSSL library is not used by this build of Fossil\n\n" |
| 1003 | ); |
| 1004 | } |
| 1005 | #else |
| 1006 | fossil_print("OpenSSL-version: %s (0x%09llx)\n", |
| 1007 | SSLeay_version(SSLEAY_VERSION), (unsigned long long)SSLeay()); |
| 1008 | if( verbose ){ |
| 1009 | fossil_print("\n" |
| 1010 | " The version of the OpenSSL library being used\n" |
| 1011 | " by this instance of Fossil. Version 3.0.0 or\n" |
| 1012 | " later is recommended.\n\n" |
| @@ -1061,20 +1063,18 @@ | |
| 1063 | " values are built into your OpenSSL library.\n\n" |
| 1064 | ); |
| 1065 | } |
| 1066 | |
| 1067 | #if defined(_WIN32) |
| 1068 | fossil_print(" OpenSSL-winstore: %s\n", |
| 1069 | (SSLeay()>=0x30200000 && SSLeay()!=0x30500000) ? "Yes" : "No"); |
| 1070 | if( verbose ){ |
| 1071 | fossil_print("\n" |
| 1072 | " OpenSSL 3.2.0, or newer, but not version 3.5.0 due to a bug,\n" |
| 1073 | " the root certificates are managed by the Windows operating\n" |
| 1074 | " system. The installed root certificates are listed by the\n" |
| 1075 | " command:\n\n" |
| 1076 | " certutil -store \"ROOT\"\n\n" |
| 1077 | ); |
| 1078 | } |
| 1079 | #endif /* _WIN32 */ |
| 1080 | |
| @@ -1232,10 +1232,10 @@ | |
| 1232 | ** freed by the caller. |
| 1233 | */ |
| 1234 | char *fossil_openssl_version(void){ |
| 1235 | #if defined(FOSSIL_ENABLE_SSL) |
| 1236 | return mprintf("%s (0x%09x)\n", |
| 1237 | SSLeay_version(SSLEAY_VERSION), (sqlite3_uint64)SSLeay()); |
| 1238 | #else |
| 1239 | return mprintf("none"); |
| 1240 | #endif |
| 1241 | } |
| 1242 |