Fossil SCM
Preliminary documentation for server-side SSL.
Commit
a094e654e5bcb31d27a04769505ec6d715065b3745c6794564476c6c5e3b9013
Parent
531434900bbc15a…
2 files changed
+2
+216
+2
| --- www/changes.wiki | ||
| +++ www/changes.wiki | ||
| @@ -1,8 +1,10 @@ | ||
| 1 | 1 | <title>Change Log</title> |
| 2 | 2 | |
| 3 | 3 | <h2 id='v2_18'>Changes for version 2.18 (pending)</h2> |
| 4 | + * Added support for [./ssl-server.md|SSL/TLS server mode] for commands | |
| 5 | + like "[/help?cmd=server|fossil server]" and "[/help?cmd=http|fossil http]" | |
| 4 | 6 | * Added the --share-links option to [/help?cmd=sync|fossil sync] and |
| 5 | 7 | [/help?cmd=pull|fossil pull]. Enhance the |
| 6 | 8 | [/doc/trunk/www/sync.wiki|sync protocol] so that it is able to support |
| 7 | 9 | sharing of links to other clones. |
| 8 | 10 | * Added the --transport-command option to [/help?cmd=sync|fossil sync] |
| 9 | 11 | |
| 10 | 12 | ADDED www/ssl-server.md |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,8 +1,10 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_18'>Changes for version 2.18 (pending)</h2> |
| 4 | * Added the --share-links option to [/help?cmd=sync|fossil sync] and |
| 5 | [/help?cmd=pull|fossil pull]. Enhance the |
| 6 | [/doc/trunk/www/sync.wiki|sync protocol] so that it is able to support |
| 7 | sharing of links to other clones. |
| 8 | * Added the --transport-command option to [/help?cmd=sync|fossil sync] |
| 9 | |
| 10 | DDED www/ssl-server.md |
| --- www/changes.wiki | |
| +++ www/changes.wiki | |
| @@ -1,8 +1,10 @@ | |
| 1 | <title>Change Log</title> |
| 2 | |
| 3 | <h2 id='v2_18'>Changes for version 2.18 (pending)</h2> |
| 4 | * Added support for [./ssl-server.md|SSL/TLS server mode] for commands |
| 5 | like "[/help?cmd=server|fossil server]" and "[/help?cmd=http|fossil http]" |
| 6 | * Added the --share-links option to [/help?cmd=sync|fossil sync] and |
| 7 | [/help?cmd=pull|fossil pull]. Enhance the |
| 8 | [/doc/trunk/www/sync.wiki|sync protocol] so that it is able to support |
| 9 | sharing of links to other clones. |
| 10 | * Added the --transport-command option to [/help?cmd=sync|fossil sync] |
| 11 | |
| 12 | DDED www/ssl-server.md |
+216
| --- a/www/ssl-server.md | ||
| +++ b/www/ssl-server.md | ||
| @@ -0,0 +1,216 @@ | ||
| 1 | +# SSL/TLS Server Mode | |
| 2 | + | |
| 3 | +## Hisclient-side SSL/TLS since [2010][1]. This means | |
| 4 | +that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when | |
| 5 | +contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement | |
| 6 | +an encrypted server, you had to put Fossil behind a web server or reverse | |
| 7 | +proxy that handled the SSL/TLS decryption/encryption and passed cleartext | |
| 8 | +down to Fossil. | |
| 9 | + | |
| 10 | +[0]: ./ssl.wiki | |
| 11 | +[1]: /timeli1]: /timeline?c=b05cb4a0e15d0712&y=ci&n=13 | |
| 12 | + | |
| 13 | +Beginning in [late December 2021](/timeline?c=f6263bb64195b07f&y=a&n=13), | |
| 14 | +this has been fixed. Commands like | |
| 15 | + | |
| 16 | + * "[fossil server](/help?cmd=server)" | |
| 17 | + * "[fossil ui](/help?cmd=r)" | |
| 18 | + * "[fossil ui](/help/ui)", a?cmd=http)" | |
| 19 | + | |
| 20 | +now all handle server-mode SSL/TLS encryption natively. It is now possible | |
| 21 | +to run a secure Fossil server without having server or reverse | |
| 22 | +proxn encrypting | |
| 23 | +web server or reverse proxy. Hence, it is now possible to stand up a complete | |
| 24 | +Fossild first rset on an inexpensive VPS with no added software other than | |
| 25 | +Fossil itself and something like [certbot](https://certbot.eff.org) for | |
| 26 | +obtaining a Usage | |
| 27 | + | |
| 28 | +To put any of the Fossil server commands into SSL/TLS mode, simply | |
| 29 | +add the "--cert fossil ui --cert uns.fe-builtin | |
| 30 | + | |
| 31 | +The --cert optiossl" command-line option. (Or use ned to discourage the “yeui --ssl | |
| 32 | +~~~ | |
| 33 | + | |
| 34 | +Since no certificate (or "cert") has been specified, Fossil will use | |
| 35 | +wiki/Certificate_authat is built into Fossil itself. The fact that the | |
| 36 | +cert is self-signed, not secure and | |
| 37 | +should only be used for testing. Your web-browser will complain bitterly | |
| 38 | +and will refuse to "unsafe-builtin" cert. | |
| 39 | +Firefox will allow you to click an "I know the risks" buttonSo tion is worse than no encryption | |
| 40 | +for testing. solve this. | |
| 41 | + | |
| 42 | +## About Certs | |
| 43 | + | |
| 44 | +Ce | |
| 45 | +you or reverse | |
| 46 | +proxn encry or asymmetric cryptography. To create a cert, | |
| 47 | +you first create a new "key pair" consisting of a public key and a private key. | |
| 48 | +The public key can be freely shared with the world, but you must keep the | |
| 49 | +private key secret. If anyone gains access to your private > | |
| 50 | +`ext | |
| 51 | +like this: | |
| 52 | + | |
| 53 | + -----BE` | |
| 54 | +ike this: | |
| 55 | + | |
| 56 | + ` private key* | |
| 57 | + -----`he private key* | |
| 58 | + -----> | |
| 59 | +`, a PEM-encoded cert will l` | |
| 60 | +ike this: | |
| 61 | + | |
| 62 | + -----BEGINcertificate* | |
| 63 | +` *base-64 encoding of t`END CERTIFICATE----- | |
| 64 | + | |
| 65 | +In both formats, text outside of the delimiters is ignored. That means | |
| 66 | +that if you have a PEM-formatted private key and a separate PEM-formatted | |
| 67 | +certificate, you can concatenate the two into a singreade complexity of the | |
| 68 | +ceremony demanded depends on how paranoid your browser’s creators have | |
| 69 | +decided to be. It may require as little as clicking a single big "I know | |
| 70 | +the risks" type of button, or it may require a sequence be several | |
| 71 | +clicks designed to discourage the “yes, yes, just let me do the thing” | |
| 72 | +crowd lest they run themselves into trouble by disregarding well-meant | |
| 73 | +warnings. | |
| 74 | + | |
| 75 | +Our purpose here ooteans | |
| 76 | +that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when | |
| 77 | +contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement | |
| 78 | +an encrypted server, you had to put Fossil behind a web server or reverse | |
| 79 | +proxy that handled the SSL/TLS decryption/encryption and passed cleartext | |
| 80 | +down t# SSL/TLS Server Mode | |
| 81 | + | |
| 82 | +## Hisclient-side SSL/TLS since [2010][1]. This means | |
| 83 | +that commands likristic falling aormer rises.(^No strict correlation exists. CAs have invented | |
| 84 | +highly inconvenient certification schemes that offer little additional | |
| 85 | +real-world trustworthiness. Extreme cases along this axis may be fairly | |
| 86 | +characterized as [security theater][st]. We focus in this document on | |
| 87 | +well-balanced trade-offs between decreasing convenience and useful | |
| 88 | +levels of trustworthiness gained thereby.) | |
| 89 | + | |
| 90 | +The self-signed method demonstrated above offers approximately zero | |
| 91 | +trustworthiness, though not zero _value_ since it does stil> ~~~ | |
| 92 | +rver](/help?cmd= SSL/ | |
| 93 | +As the na~~~ should | |
| 94 | +only be used for testing. Your web browser is likely to complain | |
| 95 | +bitterly about it and will refuse to display the pages using the | |
| 96 | +"unsafe-builtin" cert until you placate it. The complexity of the | |
| 97 | +ceremony demanded depends on how paranoid your browser’s creators have | |
| 98 | +decided to be. It may require as little as clicking a single big "I know | |
| 99 | +the risks" type of button, or it may require a sequence be several | |
| 100 | +clicks designed to discouragse the “yes, yes, just let me do , means that y" button andand will refuse | |
| 101 | +to display the pages that Fossil returns. Some web browsers (ex: Firefox) | |
| 102 | +tion is worse than no encryption at all. Continue reading | |
| 103 | +to see Other | |
| 104 | +solve this. | |
| 105 | + | |
| 106 | +## About Certs | |
| 107 | + | |
| 108 | +Certs are based on public-key or assupportans | |
| 109 | +that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when | |
| 110 | +contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement | |
| 111 | +an encrypted server, you had to put Fossil behind a web server or reverse | |
| 112 | +proxy that handled the SSL/TLS decryption/encryption and passed cleartext | |
| 113 | +down to Fossil. | |
| 114 | + | |
| 115 | +[0]: ./ssl.wiki | |
| 116 | +[1]: /timeli1]: /timeline?c=b05cb4a0e15d0712&y=ci&n=13 | |
| 117 | + | |
| 118 | +Beginning in [late December 2021](/timeline?c=f6263bb64195b07f&y=a&n=13), | |
| 119 | +this has been fixed. Commands like | |
| 120 | + | |
| 121 | + * "[fossil server](/help?cmd=server)" | |
| 122 | + * "[fossil ui](/help?cmd=r)" | |
| 123 | + * "[fossil ui](/help/ui)", a?cmd=http)" | |
| 124 | + | |
| 125 | +now all handle server-mode SSL/TLS encryption natively. It is now possible | |
| 126 | +to run a secure Fossil server without having server or reverse | |
| 127 | +proxn encrypting | |
| 128 | +web server or reverse proxy. Hence, it is now possible to stand up a complete | |
| 129 | +Fossild first run Foss on an inexpensive VPS with no added software other than | |
| 130 | +Fossil itself and something like [certbot](https://certbot.eff.org) for | |
| 131 | +obtaining a Usage | |
| 132 | + | |
| 133 | +To put any of the Fossil server commands into SSL/TLS mode, simply | |
| 134 | +add the "--cert fossil ui --cert uns.fe-builtin | |
| 135 | + | |
| 136 | +The --cert optiossl" command-line option. (Or use ned to discourage the “yeui --ssl | |
| 137 | +~~~ | |
| 138 | + | |
| 139 | +Since no certificate (or "cert") has been specified, Fossil will use | |
| 140 | +wiki/Certificate_authat is built into Fossil itself. The fact that the | |
| 141 | +cert is self-signed, not secure and | |
| 142 | +should only be used for testing. Your web-browser will complain bitterly | |
| 143 | +and will refuse to "unsafe-builtin" cert. | |
| 144 | +Firefox will allow you to click an "I know the risks" buttonSo tion is worse than no encryption | |
| 145 | +for testing. solve this. | |
| 146 | + | |
| 147 | +## About Certs | |
| 148 | + | |
| 149 | +Ce | |
| 150 | +you or reverse | |
| 151 | +proxn encry or asymmetric cryptography. To create a cert, | |
| 152 | +you first create a new "key pair" consisting of a public key and a private key. | |
| 153 | +The public key can be freely shared with the world, but you must keep the | |
| 154 | +private key secret. If anyone gains access to your private > | |
| 155 | +`ext | |
| 156 | +like this: | |
| 157 | + | |
| 158 | + -----BE` | |
| 159 | +ike this: | |
| 160 | + | |
| 161 | + ` private key* | |
| 162 | + -----`he private key* | |
| 163 | + -----> | |
| 164 | +`, a PEM-encoded cert will l` | |
| 165 | +ike this: | |
| 166 | + | |
| 167 | + -----BEGINcertificate* | |
| 168 | +` *base-64 encoding of t`END CERTIFICATE----- | |
| 169 | + | |
| 170 | +In both formats, text outside of the delimiters is ignore# SSL/TLS Server Mode | |
| 171 | + | |
| 172 | +## Hisclient-side SSL/TLS since [2010][1]. This means | |
| 173 | +that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when | |
| 174 | +contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement | |
| 175 | +an encrypted server, you had to put Fossil behind a web server or reverse | |
| 176 | +proxy that handled the SSL/TLS decryption/encryption and passed cleartext | |
| 177 | +down to Fossil. | |
| 178 | + | |
| 179 | +[0]: ./ssl.wiki | |
| 180 | +[1]: /timeli1]: /timeline?c=b05cb4a0e15d0712&y=ci&n=13 | |
| 181 | + | |
| 182 | +Beginning in [late December 2021](/timeline?c=f6263bb64195b07f&y=a&n=13), | |
| 183 | +this has been fixed. Commands like | |
| 184 | + | |
| 185 | + * "[fossil server](/help?cmd=server)" | |
| 186 | + * "[fossil ui](/help?cmd=r)" | |
| 187 | + * "[fossil ui](/help/ui)", a?cmd=http)" | |
| 188 | + | |
| 189 | +now all handle server-mode SSL/TLS encryption natively. It is now possible | |
| 190 | +to run a secure Fossil server without having server or reverse | |
| 191 | +proxn encrypting | |
| 192 | +web server or reverse proxy. Hence, it is now possible to stand up a complete | |
| 193 | +Fossild first run Foss on an inexpensive VPS with no added software other than | |
| 194 | +Fossil itself and something like [certbot](https://certbot.eff.org) for | |
| 195 | +obtaining a Usage | |
| 196 | + | |
| 197 | +To put any of the Fossil server commands into SSL/TLS mode, simply | |
| 198 | +add the "--cert fossil ui --cert uns.fe-builtin | |
| 199 | + | |
| 200 | +The --cert optiossl" command-line option. (Or use ned to discourage the “yeui --ssl | |
| 201 | +~~~ | |
| 202 | + | |
| 203 | +Since no certificate (or "cert") has been specified, Fossil will use | |
| 204 | +wiki/Certificate_authat is built into Fossil itself. The fact that the | |
| 205 | +cert is self-signed, not secure and | |
| 206 | +should only be used for testing. Your web-browser will complain bitterly | |
| 207 | +and will refuse to "unsafe-builtin" cert. | |
| 208 | +Firefox will allow you to click an "I know the risks" buttonSo tion is worse than no encryption | |
| 209 | +for testing. solve this. | |
| 210 | + | |
| 211 | +## About Certs | |
| 212 | + | |
| 213 | +Ce | |
| 214 | +you or reverse | |
| 215 | +proxn encry or asymmetric cryptography. To create a cert, | |
| 216 | +you first cr |
| --- a/www/ssl-server.md | |
| +++ b/www/ssl-server.md | |
| @@ -0,0 +1,216 @@ | |
| --- a/www/ssl-server.md | |
| +++ b/www/ssl-server.md | |
| @@ -0,0 +1,216 @@ | |
| 1 | # SSL/TLS Server Mode |
| 2 | |
| 3 | ## Hisclient-side SSL/TLS since [2010][1]. This means |
| 4 | that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when |
| 5 | contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement |
| 6 | an encrypted server, you had to put Fossil behind a web server or reverse |
| 7 | proxy that handled the SSL/TLS decryption/encryption and passed cleartext |
| 8 | down to Fossil. |
| 9 | |
| 10 | [0]: ./ssl.wiki |
| 11 | [1]: /timeli1]: /timeline?c=b05cb4a0e15d0712&y=ci&n=13 |
| 12 | |
| 13 | Beginning in [late December 2021](/timeline?c=f6263bb64195b07f&y=a&n=13), |
| 14 | this has been fixed. Commands like |
| 15 | |
| 16 | * "[fossil server](/help?cmd=server)" |
| 17 | * "[fossil ui](/help?cmd=r)" |
| 18 | * "[fossil ui](/help/ui)", a?cmd=http)" |
| 19 | |
| 20 | now all handle server-mode SSL/TLS encryption natively. It is now possible |
| 21 | to run a secure Fossil server without having server or reverse |
| 22 | proxn encrypting |
| 23 | web server or reverse proxy. Hence, it is now possible to stand up a complete |
| 24 | Fossild first rset on an inexpensive VPS with no added software other than |
| 25 | Fossil itself and something like [certbot](https://certbot.eff.org) for |
| 26 | obtaining a Usage |
| 27 | |
| 28 | To put any of the Fossil server commands into SSL/TLS mode, simply |
| 29 | add the "--cert fossil ui --cert uns.fe-builtin |
| 30 | |
| 31 | The --cert optiossl" command-line option. (Or use ned to discourage the “yeui --ssl |
| 32 | ~~~ |
| 33 | |
| 34 | Since no certificate (or "cert") has been specified, Fossil will use |
| 35 | wiki/Certificate_authat is built into Fossil itself. The fact that the |
| 36 | cert is self-signed, not secure and |
| 37 | should only be used for testing. Your web-browser will complain bitterly |
| 38 | and will refuse to "unsafe-builtin" cert. |
| 39 | Firefox will allow you to click an "I know the risks" buttonSo tion is worse than no encryption |
| 40 | for testing. solve this. |
| 41 | |
| 42 | ## About Certs |
| 43 | |
| 44 | Ce |
| 45 | you or reverse |
| 46 | proxn encry or asymmetric cryptography. To create a cert, |
| 47 | you first create a new "key pair" consisting of a public key and a private key. |
| 48 | The public key can be freely shared with the world, but you must keep the |
| 49 | private key secret. If anyone gains access to your private > |
| 50 | `ext |
| 51 | like this: |
| 52 | |
| 53 | -----BE` |
| 54 | ike this: |
| 55 | |
| 56 | ` private key* |
| 57 | -----`he private key* |
| 58 | -----> |
| 59 | `, a PEM-encoded cert will l` |
| 60 | ike this: |
| 61 | |
| 62 | -----BEGINcertificate* |
| 63 | ` *base-64 encoding of t`END CERTIFICATE----- |
| 64 | |
| 65 | In both formats, text outside of the delimiters is ignored. That means |
| 66 | that if you have a PEM-formatted private key and a separate PEM-formatted |
| 67 | certificate, you can concatenate the two into a singreade complexity of the |
| 68 | ceremony demanded depends on how paranoid your browser’s creators have |
| 69 | decided to be. It may require as little as clicking a single big "I know |
| 70 | the risks" type of button, or it may require a sequence be several |
| 71 | clicks designed to discourage the “yes, yes, just let me do the thing” |
| 72 | crowd lest they run themselves into trouble by disregarding well-meant |
| 73 | warnings. |
| 74 | |
| 75 | Our purpose here ooteans |
| 76 | that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when |
| 77 | contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement |
| 78 | an encrypted server, you had to put Fossil behind a web server or reverse |
| 79 | proxy that handled the SSL/TLS decryption/encryption and passed cleartext |
| 80 | down t# SSL/TLS Server Mode |
| 81 | |
| 82 | ## Hisclient-side SSL/TLS since [2010][1]. This means |
| 83 | that commands likristic falling aormer rises.(^No strict correlation exists. CAs have invented |
| 84 | highly inconvenient certification schemes that offer little additional |
| 85 | real-world trustworthiness. Extreme cases along this axis may be fairly |
| 86 | characterized as [security theater][st]. We focus in this document on |
| 87 | well-balanced trade-offs between decreasing convenience and useful |
| 88 | levels of trustworthiness gained thereby.) |
| 89 | |
| 90 | The self-signed method demonstrated above offers approximately zero |
| 91 | trustworthiness, though not zero _value_ since it does stil> ~~~ |
| 92 | rver](/help?cmd= SSL/ |
| 93 | As the na~~~ should |
| 94 | only be used for testing. Your web browser is likely to complain |
| 95 | bitterly about it and will refuse to display the pages using the |
| 96 | "unsafe-builtin" cert until you placate it. The complexity of the |
| 97 | ceremony demanded depends on how paranoid your browser’s creators have |
| 98 | decided to be. It may require as little as clicking a single big "I know |
| 99 | the risks" type of button, or it may require a sequence be several |
| 100 | clicks designed to discouragse the “yes, yes, just let me do , means that y" button andand will refuse |
| 101 | to display the pages that Fossil returns. Some web browsers (ex: Firefox) |
| 102 | tion is worse than no encryption at all. Continue reading |
| 103 | to see Other |
| 104 | solve this. |
| 105 | |
| 106 | ## About Certs |
| 107 | |
| 108 | Certs are based on public-key or assupportans |
| 109 | that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when |
| 110 | contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement |
| 111 | an encrypted server, you had to put Fossil behind a web server or reverse |
| 112 | proxy that handled the SSL/TLS decryption/encryption and passed cleartext |
| 113 | down to Fossil. |
| 114 | |
| 115 | [0]: ./ssl.wiki |
| 116 | [1]: /timeli1]: /timeline?c=b05cb4a0e15d0712&y=ci&n=13 |
| 117 | |
| 118 | Beginning in [late December 2021](/timeline?c=f6263bb64195b07f&y=a&n=13), |
| 119 | this has been fixed. Commands like |
| 120 | |
| 121 | * "[fossil server](/help?cmd=server)" |
| 122 | * "[fossil ui](/help?cmd=r)" |
| 123 | * "[fossil ui](/help/ui)", a?cmd=http)" |
| 124 | |
| 125 | now all handle server-mode SSL/TLS encryption natively. It is now possible |
| 126 | to run a secure Fossil server without having server or reverse |
| 127 | proxn encrypting |
| 128 | web server or reverse proxy. Hence, it is now possible to stand up a complete |
| 129 | Fossild first run Foss on an inexpensive VPS with no added software other than |
| 130 | Fossil itself and something like [certbot](https://certbot.eff.org) for |
| 131 | obtaining a Usage |
| 132 | |
| 133 | To put any of the Fossil server commands into SSL/TLS mode, simply |
| 134 | add the "--cert fossil ui --cert uns.fe-builtin |
| 135 | |
| 136 | The --cert optiossl" command-line option. (Or use ned to discourage the “yeui --ssl |
| 137 | ~~~ |
| 138 | |
| 139 | Since no certificate (or "cert") has been specified, Fossil will use |
| 140 | wiki/Certificate_authat is built into Fossil itself. The fact that the |
| 141 | cert is self-signed, not secure and |
| 142 | should only be used for testing. Your web-browser will complain bitterly |
| 143 | and will refuse to "unsafe-builtin" cert. |
| 144 | Firefox will allow you to click an "I know the risks" buttonSo tion is worse than no encryption |
| 145 | for testing. solve this. |
| 146 | |
| 147 | ## About Certs |
| 148 | |
| 149 | Ce |
| 150 | you or reverse |
| 151 | proxn encry or asymmetric cryptography. To create a cert, |
| 152 | you first create a new "key pair" consisting of a public key and a private key. |
| 153 | The public key can be freely shared with the world, but you must keep the |
| 154 | private key secret. If anyone gains access to your private > |
| 155 | `ext |
| 156 | like this: |
| 157 | |
| 158 | -----BE` |
| 159 | ike this: |
| 160 | |
| 161 | ` private key* |
| 162 | -----`he private key* |
| 163 | -----> |
| 164 | `, a PEM-encoded cert will l` |
| 165 | ike this: |
| 166 | |
| 167 | -----BEGINcertificate* |
| 168 | ` *base-64 encoding of t`END CERTIFICATE----- |
| 169 | |
| 170 | In both formats, text outside of the delimiters is ignore# SSL/TLS Server Mode |
| 171 | |
| 172 | ## Hisclient-side SSL/TLS since [2010][1]. This means |
| 173 | that commands like "[fossil sync](/help?cmd=sync)" could use SSL/TLS when |
| 174 | contacting a server. But on the server side, commands ?cmd=server)" operated in clear-text only. To implement |
| 175 | an encrypted server, you had to put Fossil behind a web server or reverse |
| 176 | proxy that handled the SSL/TLS decryption/encryption and passed cleartext |
| 177 | down to Fossil. |
| 178 | |
| 179 | [0]: ./ssl.wiki |
| 180 | [1]: /timeli1]: /timeline?c=b05cb4a0e15d0712&y=ci&n=13 |
| 181 | |
| 182 | Beginning in [late December 2021](/timeline?c=f6263bb64195b07f&y=a&n=13), |
| 183 | this has been fixed. Commands like |
| 184 | |
| 185 | * "[fossil server](/help?cmd=server)" |
| 186 | * "[fossil ui](/help?cmd=r)" |
| 187 | * "[fossil ui](/help/ui)", a?cmd=http)" |
| 188 | |
| 189 | now all handle server-mode SSL/TLS encryption natively. It is now possible |
| 190 | to run a secure Fossil server without having server or reverse |
| 191 | proxn encrypting |
| 192 | web server or reverse proxy. Hence, it is now possible to stand up a complete |
| 193 | Fossild first run Foss on an inexpensive VPS with no added software other than |
| 194 | Fossil itself and something like [certbot](https://certbot.eff.org) for |
| 195 | obtaining a Usage |
| 196 | |
| 197 | To put any of the Fossil server commands into SSL/TLS mode, simply |
| 198 | add the "--cert fossil ui --cert uns.fe-builtin |
| 199 | |
| 200 | The --cert optiossl" command-line option. (Or use ned to discourage the “yeui --ssl |
| 201 | ~~~ |
| 202 | |
| 203 | Since no certificate (or "cert") has been specified, Fossil will use |
| 204 | wiki/Certificate_authat is built into Fossil itself. The fact that the |
| 205 | cert is self-signed, not secure and |
| 206 | should only be used for testing. Your web-browser will complain bitterly |
| 207 | and will refuse to "unsafe-builtin" cert. |
| 208 | Firefox will allow you to click an "I know the risks" buttonSo tion is worse than no encryption |
| 209 | for testing. solve this. |
| 210 | |
| 211 | ## About Certs |
| 212 | |
| 213 | Ce |
| 214 | you or reverse |
| 215 | proxn encry or asymmetric cryptography. To create a cert, |
| 216 | you first cr |