Fossil SCM
Add the "tls-config" command for managing the OpenSSL configuration and for viewing and deleting certificate exceptions.
Commit
bc236201210bfeeee4c24c0055d45df8f699fac196c1f2fe6b2e53c4c688d222
Parent
455b2aa67b62b5e…
1 file changed
+99
-11
+99
-11
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -511,22 +511,110 @@ | ||
| 511 | 511 | } |
| 512 | 512 | |
| 513 | 513 | #endif /* FOSSIL_ENABLE_SSL */ |
| 514 | 514 | |
| 515 | 515 | /* |
| 516 | -** COMMAND: test-ssl-trust-store | |
| 516 | +** COMMAND: tls-config* | |
| 517 | +** | |
| 518 | +** Usage: %fossil tls-config [SUBCOMMAND] [OPTIONS...] [ARGS...] | |
| 519 | +** | |
| 520 | +** This command is used to view or modify the TLS (Transport Layer | |
| 521 | +** Security) configuration for Fossil. TLS (formerly SSL) is the | |
| 522 | +** encryption technology used for secure HTTPS transport. | |
| 523 | +** | |
| 524 | +** Sub-commands: | |
| 525 | +** | |
| 526 | +** show Show the TLS configuration | |
| 517 | 527 | ** |
| 518 | -** Show the file and directory where OpenSSL looks for certificates | |
| 519 | -** of trusted CAs. | |
| 528 | +** remove-exception DOMAIN... Remove TLS cert exceptions | |
| 529 | +** for the domains listed. Or if | |
| 530 | +** the --all option is specified, | |
| 531 | +** remove all TLS cert exceptions. | |
| 520 | 532 | */ |
| 521 | -void test_ssl_info(void){ | |
| 533 | +void test_tlsconfig_info(void){ | |
| 534 | + const char *zCmd; | |
| 535 | + size_t nCmd; | |
| 536 | + int nHit = 0; | |
| 522 | 537 | #if !defined(FOSSIL_ENABLE_SSL) |
| 523 | - fossil_print("SSL disabled in this build\n"); | |
| 538 | + fossil_print("TLS disabled in this build\n"); | |
| 524 | 539 | #else |
| 525 | - fossil_print("file: %-14s %s\n", | |
| 526 | - X509_get_default_cert_file_env(), | |
| 527 | - X509_get_default_cert_file()); | |
| 528 | - fossil_print("dir: %-14s %s\n", | |
| 529 | - X509_get_default_cert_dir_env(), | |
| 530 | - X509_get_default_cert_dir()); | |
| 540 | + db_find_and_open_repository(OPEN_OK_NOT_FOUND|OPEN_SUBSTITUTE,0); | |
| 541 | + db_open_config(1,0); | |
| 542 | + zCmd = g.argc>=3 ? g.argv[2] : "show"; | |
| 543 | + nCmd = strlen(zCmd); | |
| 544 | + if( strncmp("show",zCmd,nCmd)==0 ){ | |
| 545 | + const char *zName, *zValue; | |
| 546 | + size_t nName; | |
| 547 | + Stmt q; | |
| 548 | + fossil_print("OpenSSL-version: %s\n", SSLeay_version(SSLEAY_VERSION)); | |
| 549 | + fossil_print("OpenSSL-cert-file: %s\n", X509_get_default_cert_file()); | |
| 550 | + fossil_print("OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); | |
| 551 | + zName = X509_get_default_cert_file_env(); | |
| 552 | + zValue = fossil_getenv(zName); | |
| 553 | + if( zValue==0 ) zValue = ""; | |
| 554 | + nName = strlen(zName); | |
| 555 | + fossil_print("%s:%.*s%s\n", zName, 19-nName, "", zValue); | |
| 556 | + zName = X509_get_default_cert_dir_env(); | |
| 557 | + zValue = fossil_getenv(zName); | |
| 558 | + if( zValue==0 ) zValue = ""; | |
| 559 | + nName = strlen(zName); | |
| 560 | + fossil_print("%s:%.*s%s\n", zName, 19-nName, "", zValue); | |
| 561 | + nHit++; | |
| 562 | + fossil_print("ssl-ca-location: %s\n", db_get("ssl-ca-location","")); | |
| 563 | + fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); | |
| 564 | + db_prepare(&q, | |
| 565 | + "SELECT name FROM global_config" | |
| 566 | + " WHERE name GLOB 'cert:*'" | |
| 567 | + "UNION ALL " | |
| 568 | + "SELECT name FROM config" | |
| 569 | + " WHERE name GLOB 'cert:*'" | |
| 570 | + " ORDER BY name" | |
| 571 | + ); | |
| 572 | + while( db_step(&q)==SQLITE_ROW ){ | |
| 573 | + fossil_print("exception: %s\n", db_column_text(&q,0)+5); | |
| 574 | + } | |
| 575 | + db_finalize(&q); | |
| 576 | + }else | |
| 577 | + if( strncmp("remove-exception",zCmd,nCmd)==0 ){ | |
| 578 | + int i; | |
| 579 | + Blob sql; | |
| 580 | + char *zSep = "("; | |
| 581 | + db_begin_transaction(); | |
| 582 | + blob_init(&sql, 0, 0); | |
| 583 | + if( g.argc==4 && find_option("all",0,0)!=0 ){ | |
| 584 | + blob_append_sql(&sql, | |
| 585 | + "DELETE FROM global_config WHERE name GLOB 'cert:*';\n" | |
| 586 | + "DELETE FROM global_config WHERE name GLOB 'trusted:*';\n" | |
| 587 | + "DELETE FROM config WHERE name GLOB 'cert:*';\n" | |
| 588 | + "DELETE FROM config WHERE name GLOB 'trusted:*';\n" | |
| 589 | + ); | |
| 590 | + }else{ | |
| 591 | + if( g.argc<4 ){ | |
| 592 | + usage("remove-exception DOMAIN-NAME ..."); | |
| 593 | + } | |
| 594 | + blob_append_sql(&sql,"DELETE FROM global_config WHERE name IN "); | |
| 595 | + for(i=3; i<g.argc; i++){ | |
| 596 | + blob_append_sql(&sql,"%s'cert:%q','trust:%q'", | |
| 597 | + zSep/*safe-for-%s*/, g.argv[i], g.argv[i]); | |
| 598 | + zSep = ","; | |
| 599 | + } | |
| 600 | + blob_append_sql(&sql,");\n"); | |
| 601 | + zSep = "("; | |
| 602 | + blob_append_sql(&sql,"DELETE FROM config WHERE name IN "); | |
| 603 | + for(i=3; i<g.argc; i++){ | |
| 604 | + blob_append_sql(&sql,"%s'cert:%q','trusted:%q'", | |
| 605 | + zSep/*safe-for-%s*/, g.argv[i], g.argv[i]); | |
| 606 | + zSep = ","; | |
| 607 | + } | |
| 608 | + blob_append_sql(&sql,");"); | |
| 609 | + } | |
| 610 | + db_exec_sql(blob_str(&sql)); | |
| 611 | + db_commit_transaction(); | |
| 612 | + blob_reset(&sql); | |
| 613 | + }else | |
| 614 | + /*default*/{ | |
| 615 | + fossil_fatal("unknown sub-command \"%s\".\nshould be one of:" | |
| 616 | + " remove-exception show", | |
| 617 | + zCmd); | |
| 618 | + } | |
| 531 | 619 | #endif |
| 532 | 620 | } |
| 533 | 621 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -511,22 +511,110 @@ | |
| 511 | } |
| 512 | |
| 513 | #endif /* FOSSIL_ENABLE_SSL */ |
| 514 | |
| 515 | /* |
| 516 | ** COMMAND: test-ssl-trust-store |
| 517 | ** |
| 518 | ** Show the file and directory where OpenSSL looks for certificates |
| 519 | ** of trusted CAs. |
| 520 | */ |
| 521 | void test_ssl_info(void){ |
| 522 | #if !defined(FOSSIL_ENABLE_SSL) |
| 523 | fossil_print("SSL disabled in this build\n"); |
| 524 | #else |
| 525 | fossil_print("file: %-14s %s\n", |
| 526 | X509_get_default_cert_file_env(), |
| 527 | X509_get_default_cert_file()); |
| 528 | fossil_print("dir: %-14s %s\n", |
| 529 | X509_get_default_cert_dir_env(), |
| 530 | X509_get_default_cert_dir()); |
| 531 | #endif |
| 532 | } |
| 533 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -511,22 +511,110 @@ | |
| 511 | } |
| 512 | |
| 513 | #endif /* FOSSIL_ENABLE_SSL */ |
| 514 | |
| 515 | /* |
| 516 | ** COMMAND: tls-config* |
| 517 | ** |
| 518 | ** Usage: %fossil tls-config [SUBCOMMAND] [OPTIONS...] [ARGS...] |
| 519 | ** |
| 520 | ** This command is used to view or modify the TLS (Transport Layer |
| 521 | ** Security) configuration for Fossil. TLS (formerly SSL) is the |
| 522 | ** encryption technology used for secure HTTPS transport. |
| 523 | ** |
| 524 | ** Sub-commands: |
| 525 | ** |
| 526 | ** show Show the TLS configuration |
| 527 | ** |
| 528 | ** remove-exception DOMAIN... Remove TLS cert exceptions |
| 529 | ** for the domains listed. Or if |
| 530 | ** the --all option is specified, |
| 531 | ** remove all TLS cert exceptions. |
| 532 | */ |
| 533 | void test_tlsconfig_info(void){ |
| 534 | const char *zCmd; |
| 535 | size_t nCmd; |
| 536 | int nHit = 0; |
| 537 | #if !defined(FOSSIL_ENABLE_SSL) |
| 538 | fossil_print("TLS disabled in this build\n"); |
| 539 | #else |
| 540 | db_find_and_open_repository(OPEN_OK_NOT_FOUND|OPEN_SUBSTITUTE,0); |
| 541 | db_open_config(1,0); |
| 542 | zCmd = g.argc>=3 ? g.argv[2] : "show"; |
| 543 | nCmd = strlen(zCmd); |
| 544 | if( strncmp("show",zCmd,nCmd)==0 ){ |
| 545 | const char *zName, *zValue; |
| 546 | size_t nName; |
| 547 | Stmt q; |
| 548 | fossil_print("OpenSSL-version: %s\n", SSLeay_version(SSLEAY_VERSION)); |
| 549 | fossil_print("OpenSSL-cert-file: %s\n", X509_get_default_cert_file()); |
| 550 | fossil_print("OpenSSL-cert-dir: %s\n", X509_get_default_cert_dir()); |
| 551 | zName = X509_get_default_cert_file_env(); |
| 552 | zValue = fossil_getenv(zName); |
| 553 | if( zValue==0 ) zValue = ""; |
| 554 | nName = strlen(zName); |
| 555 | fossil_print("%s:%.*s%s\n", zName, 19-nName, "", zValue); |
| 556 | zName = X509_get_default_cert_dir_env(); |
| 557 | zValue = fossil_getenv(zName); |
| 558 | if( zValue==0 ) zValue = ""; |
| 559 | nName = strlen(zName); |
| 560 | fossil_print("%s:%.*s%s\n", zName, 19-nName, "", zValue); |
| 561 | nHit++; |
| 562 | fossil_print("ssl-ca-location: %s\n", db_get("ssl-ca-location","")); |
| 563 | fossil_print("ssl-identity: %s\n", db_get("ssl-identity","")); |
| 564 | db_prepare(&q, |
| 565 | "SELECT name FROM global_config" |
| 566 | " WHERE name GLOB 'cert:*'" |
| 567 | "UNION ALL " |
| 568 | "SELECT name FROM config" |
| 569 | " WHERE name GLOB 'cert:*'" |
| 570 | " ORDER BY name" |
| 571 | ); |
| 572 | while( db_step(&q)==SQLITE_ROW ){ |
| 573 | fossil_print("exception: %s\n", db_column_text(&q,0)+5); |
| 574 | } |
| 575 | db_finalize(&q); |
| 576 | }else |
| 577 | if( strncmp("remove-exception",zCmd,nCmd)==0 ){ |
| 578 | int i; |
| 579 | Blob sql; |
| 580 | char *zSep = "("; |
| 581 | db_begin_transaction(); |
| 582 | blob_init(&sql, 0, 0); |
| 583 | if( g.argc==4 && find_option("all",0,0)!=0 ){ |
| 584 | blob_append_sql(&sql, |
| 585 | "DELETE FROM global_config WHERE name GLOB 'cert:*';\n" |
| 586 | "DELETE FROM global_config WHERE name GLOB 'trusted:*';\n" |
| 587 | "DELETE FROM config WHERE name GLOB 'cert:*';\n" |
| 588 | "DELETE FROM config WHERE name GLOB 'trusted:*';\n" |
| 589 | ); |
| 590 | }else{ |
| 591 | if( g.argc<4 ){ |
| 592 | usage("remove-exception DOMAIN-NAME ..."); |
| 593 | } |
| 594 | blob_append_sql(&sql,"DELETE FROM global_config WHERE name IN "); |
| 595 | for(i=3; i<g.argc; i++){ |
| 596 | blob_append_sql(&sql,"%s'cert:%q','trust:%q'", |
| 597 | zSep/*safe-for-%s*/, g.argv[i], g.argv[i]); |
| 598 | zSep = ","; |
| 599 | } |
| 600 | blob_append_sql(&sql,");\n"); |
| 601 | zSep = "("; |
| 602 | blob_append_sql(&sql,"DELETE FROM config WHERE name IN "); |
| 603 | for(i=3; i<g.argc; i++){ |
| 604 | blob_append_sql(&sql,"%s'cert:%q','trusted:%q'", |
| 605 | zSep/*safe-for-%s*/, g.argv[i], g.argv[i]); |
| 606 | zSep = ","; |
| 607 | } |
| 608 | blob_append_sql(&sql,");"); |
| 609 | } |
| 610 | db_exec_sql(blob_str(&sql)); |
| 611 | db_commit_transaction(); |
| 612 | blob_reset(&sql); |
| 613 | }else |
| 614 | /*default*/{ |
| 615 | fossil_fatal("unknown sub-command \"%s\".\nshould be one of:" |
| 616 | " remove-exception show", |
| 617 | zCmd); |
| 618 | } |
| 619 | #endif |
| 620 | } |
| 621 |