Fossil SCM
Enable OpenSSL to use the Windows certificate store.
Commit
6fc64abe34856054951968b17ffc49a19194cbed7a37cb4882588cc5b64c2831
Parent
02349c875d62f70…
1 file changed
+29
+29
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -307,10 +307,25 @@ | ||
| 307 | 307 | if( zFile==0 ){ |
| 308 | 308 | /* fossil_fatal("Cannot find a trust store"); */ |
| 309 | 309 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 310 | 310 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 311 | 311 | } |
| 312 | + | |
| 313 | +/* Enable OpenSSL to use the Windows system ROOT certificate store to search for | |
| 314 | +** certificates missing in the file and directory trust stores already loaded by | |
| 315 | +** `SSL_CTX_load_verify_locations()'. | |
| 316 | +** This feature was introduced with OpenSSL 3.2.0, and may be enabled by default | |
| 317 | +** for future versions of OpenSSL, and explicit initialization may be redundant. | |
| 318 | +** NOTE TO HACKERS TWEAKING THEIR OPENSSL CONFIGURATION: | |
| 319 | +** The following OpenSSL configuration options must not be used for this feature | |
| 320 | +** to be available: `no-autoalginit', `no-winstore'. The Fossil makefiles do not | |
| 321 | +** currently set these options when building OpenSSL for Windows. */ | |
| 322 | +#if defined (_WIN32) | |
| 323 | +#if OPENSSL_VERSION_NUMBER >= 0x030200000 | |
| 324 | + SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:"); | |
| 325 | +#endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ | |
| 326 | +#endif /* _WIN32 */ | |
| 312 | 327 | |
| 313 | 328 | /* Load client SSL identity, preferring the filename specified on the |
| 314 | 329 | ** command line */ |
| 315 | 330 | if( g.zSSLIdentity!=0 ){ |
| 316 | 331 | identityFile = g.zSSLIdentity; |
| @@ -1030,10 +1045,24 @@ | ||
| 1030 | 1045 | " the identity of servers for \"https:\" URLs. These values\n" |
| 1031 | 1046 | " come into play when Fossil is used as a TLS client. These\n" |
| 1032 | 1047 | " values are built into your OpenSSL library.\n\n" |
| 1033 | 1048 | ); |
| 1034 | 1049 | } |
| 1050 | + | |
| 1051 | +#if defined (_WIN32) | |
| 1052 | +#if OPENSSL_VERSION_NUMBER >= 0x030200000 | |
| 1053 | + fossil_print(" OpenSSL-winstore: Yes\n"); | |
| 1054 | +#else /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ | |
| 1055 | + fossil_print(" OpenSSL-winstore: No\n"); | |
| 1056 | +#endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ | |
| 1057 | + if( verbose ){ | |
| 1058 | + fossil_print("\n" | |
| 1059 | + " OpenSSL 3.2.0 (or newer) also uses the certificates managed by\n" | |
| 1060 | + " the Windows operating system.\n\n" | |
| 1061 | + ); | |
| 1062 | + } | |
| 1063 | +#endif /* _WIN32 */ | |
| 1035 | 1064 | |
| 1036 | 1065 | if( zUsed==0 ) zUsed = ""; |
| 1037 | 1066 | fossil_print(" Trust store used: %s\n", zUsed); |
| 1038 | 1067 | if( verbose ){ |
| 1039 | 1068 | fossil_print("\n" |
| 1040 | 1069 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -307,10 +307,25 @@ | |
| 307 | if( zFile==0 ){ |
| 308 | /* fossil_fatal("Cannot find a trust store"); */ |
| 309 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 310 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 311 | } |
| 312 | |
| 313 | /* Load client SSL identity, preferring the filename specified on the |
| 314 | ** command line */ |
| 315 | if( g.zSSLIdentity!=0 ){ |
| 316 | identityFile = g.zSSLIdentity; |
| @@ -1030,10 +1045,24 @@ | |
| 1030 | " the identity of servers for \"https:\" URLs. These values\n" |
| 1031 | " come into play when Fossil is used as a TLS client. These\n" |
| 1032 | " values are built into your OpenSSL library.\n\n" |
| 1033 | ); |
| 1034 | } |
| 1035 | |
| 1036 | if( zUsed==0 ) zUsed = ""; |
| 1037 | fossil_print(" Trust store used: %s\n", zUsed); |
| 1038 | if( verbose ){ |
| 1039 | fossil_print("\n" |
| 1040 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -307,10 +307,25 @@ | |
| 307 | if( zFile==0 ){ |
| 308 | /* fossil_fatal("Cannot find a trust store"); */ |
| 309 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 310 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 311 | } |
| 312 | |
| 313 | /* Enable OpenSSL to use the Windows system ROOT certificate store to search for |
| 314 | ** certificates missing in the file and directory trust stores already loaded by |
| 315 | ** `SSL_CTX_load_verify_locations()'. |
| 316 | ** This feature was introduced with OpenSSL 3.2.0, and may be enabled by default |
| 317 | ** for future versions of OpenSSL, and explicit initialization may be redundant. |
| 318 | ** NOTE TO HACKERS TWEAKING THEIR OPENSSL CONFIGURATION: |
| 319 | ** The following OpenSSL configuration options must not be used for this feature |
| 320 | ** to be available: `no-autoalginit', `no-winstore'. The Fossil makefiles do not |
| 321 | ** currently set these options when building OpenSSL for Windows. */ |
| 322 | #if defined (_WIN32) |
| 323 | #if OPENSSL_VERSION_NUMBER >= 0x030200000 |
| 324 | SSL_CTX_load_verify_store(sslCtx, "org.openssl.winstore:"); |
| 325 | #endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 326 | #endif /* _WIN32 */ |
| 327 | |
| 328 | /* Load client SSL identity, preferring the filename specified on the |
| 329 | ** command line */ |
| 330 | if( g.zSSLIdentity!=0 ){ |
| 331 | identityFile = g.zSSLIdentity; |
| @@ -1030,10 +1045,24 @@ | |
| 1045 | " the identity of servers for \"https:\" URLs. These values\n" |
| 1046 | " come into play when Fossil is used as a TLS client. These\n" |
| 1047 | " values are built into your OpenSSL library.\n\n" |
| 1048 | ); |
| 1049 | } |
| 1050 | |
| 1051 | #if defined (_WIN32) |
| 1052 | #if OPENSSL_VERSION_NUMBER >= 0x030200000 |
| 1053 | fossil_print(" OpenSSL-winstore: Yes\n"); |
| 1054 | #else /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 1055 | fossil_print(" OpenSSL-winstore: No\n"); |
| 1056 | #endif /* OPENSSL_VERSION_NUMBER >= 0x030200000 */ |
| 1057 | if( verbose ){ |
| 1058 | fossil_print("\n" |
| 1059 | " OpenSSL 3.2.0 (or newer) also uses the certificates managed by\n" |
| 1060 | " the Windows operating system.\n\n" |
| 1061 | ); |
| 1062 | } |
| 1063 | #endif /* _WIN32 */ |
| 1064 | |
| 1065 | if( zUsed==0 ) zUsed = ""; |
| 1066 | fossil_print(" Trust store used: %s\n", zUsed); |
| 1067 | if( verbose ){ |
| 1068 | fossil_print("\n" |
| 1069 |