Fossil SCM
Change the priority of trust-store location search so that environment variables SSL_CERT_FILE and SSL_CERT_DIR take precedence over the ssl-ca-location setting. This allows a one-command override of the ssl-ca-location for testing or debugging.
Commit
e225dc9deca843d6a45a269343fb53e5411f374ad28fed0de62f1e22555a7dd7
Parent
c8a7ee7e4cf78ae…
1 file changed
+52
-33
+52
-33
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -248,49 +248,67 @@ | ||
| 248 | 248 | /* |
| 249 | 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | 250 | ** This routine does initial configuration of the SSL module. |
| 251 | 251 | */ |
| 252 | 252 | static void ssl_global_init_client(void){ |
| 253 | - const char *zCaSetting = 0; | |
| 254 | 253 | const char *identityFile; |
| 255 | 254 | |
| 256 | 255 | if( sslIsInit==0 ){ |
| 256 | + const char *zFile; | |
| 257 | + const char *zCaFile = 0; | |
| 258 | + const char *zCaDirectory = 0; | |
| 259 | + int i; | |
| 260 | + | |
| 257 | 261 | SSL_library_init(); |
| 258 | 262 | SSL_load_error_strings(); |
| 259 | 263 | OpenSSL_add_all_algorithms(); |
| 260 | 264 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 261 | 265 | /* Disable SSLv2 and SSLv3 */ |
| 262 | 266 | SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
| 263 | 267 | |
| 264 | - /* Set up acceptable CA root certificates */ | |
| 265 | - zCaSetting = db_get("ssl-ca-location", 0); | |
| 266 | - if( zCaSetting==0 || zCaSetting[0]=='\0' ){ | |
| 267 | - /* CA location not specified, use platform's default certificate store */ | |
| 268 | - X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); | |
| 269 | - }else{ | |
| 270 | - /* User has specified a CA location, make sure it exists and use it */ | |
| 271 | - const char *zCaFile = 0; | |
| 272 | - const char *zCaDirectory = 0; | |
| 273 | - switch( file_isdir(zCaSetting, ExtFILE) ){ | |
| 268 | + /* Find the trust store */ | |
| 269 | + zFile = 0; | |
| 270 | + for(i=0; zFile==0 && i<5; i++){ | |
| 271 | + switch( i ){ | |
| 272 | + case 0: /* First priority is environmentn variables */ | |
| 273 | + zFile = fossil_getenv(X509_get_default_cert_file_env()); | |
| 274 | + break; | |
| 275 | + case 1: | |
| 276 | + zFile = fossil_getenv(X509_get_default_cert_dir_env()); | |
| 277 | + break; | |
| 278 | + case 2: | |
| 279 | + zFile = db_get("ssl-ca-location",0); | |
| 280 | + break; | |
| 281 | + case 3: | |
| 282 | + zFile = X509_get_default_cert_file(); | |
| 283 | + break; | |
| 284 | + case 4: | |
| 285 | + zFile = X509_get_default_cert_dir(); | |
| 286 | + break; | |
| 287 | + } | |
| 288 | + if( zFile==0 ) continue; | |
| 289 | + switch( file_isdir(zFile, ExtFILE) ){ | |
| 274 | 290 | case 0: { /* doesn't exist */ |
| 275 | - fossil_fatal("ssl-ca-location is set to '%s', " | |
| 276 | - "but is not a file or directory", zCaSetting); | |
| 291 | + zFile = 0; | |
| 277 | 292 | break; |
| 278 | 293 | } |
| 279 | 294 | case 1: { /* directory */ |
| 280 | - zCaDirectory = zCaSetting; | |
| 295 | + zCaFile = 0; | |
| 296 | + zCaDirectory = zFile; | |
| 281 | 297 | break; |
| 282 | 298 | } |
| 283 | 299 | case 2: { /* file */ |
| 284 | - zCaFile = zCaSetting; | |
| 300 | + zCaFile = zFile; | |
| 301 | + zCaDirectory = 0; | |
| 285 | 302 | break; |
| 286 | 303 | } |
| 287 | 304 | } |
| 288 | - if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ | |
| 289 | - fossil_fatal("Failed to use CA root certificates from " | |
| 290 | - "ssl-ca-location '%s'", zCaSetting); | |
| 291 | - } | |
| 305 | + } | |
| 306 | + if( zFile==0 ){ | |
| 307 | + /* fossil_fatal("Cannot find a trust store"); */ | |
| 308 | + }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ | |
| 309 | + fossil_fatal("Cannot load CA root certificates from %s", zFile); | |
| 292 | 310 | } |
| 293 | 311 | |
| 294 | 312 | /* Load client SSL identity, preferring the filename specified on the |
| 295 | 313 | ** command line */ |
| 296 | 314 | if( g.zSSLIdentity!=0 ){ |
| @@ -954,22 +972,10 @@ | ||
| 954 | 972 | " later is recommended.\n\n" |
| 955 | 973 | ); |
| 956 | 974 | } |
| 957 | 975 | |
| 958 | 976 | fossil_print("Trust store location\n"); |
| 959 | - zValue = db_get("ssl-ca-location",""); | |
| 960 | - trust_location_usable(zValue, &zUsed); | |
| 961 | - fossil_print(" ssl-ca-location: %s\n", zValue); | |
| 962 | - if( verbose ){ | |
| 963 | - fossil_print("\n" | |
| 964 | - " This setting is the name of a file or directory that contains\n" | |
| 965 | - " the complete set of root certificates used by Fossil when it\n" | |
| 966 | - " is acting as a SSL client. If defined, this setting takes\n" | |
| 967 | - " priority over built-in paths and environment variables\n\n" | |
| 968 | - ); | |
| 969 | - } | |
| 970 | - | |
| 971 | 977 | zName = X509_get_default_cert_file_env(); |
| 972 | 978 | zValue = fossil_getenv(zName); |
| 973 | 979 | if( zValue==0 ) zValue = ""; |
| 974 | 980 | trust_location_usable(zValue, &zUsed); |
| 975 | 981 | nName = strlen(zName); |
| @@ -982,14 +988,27 @@ | ||
| 982 | 988 | fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); |
| 983 | 989 | if( verbose ){ |
| 984 | 990 | fossil_print("\n" |
| 985 | 991 | " Environment variables that determine alternative locations for\n" |
| 986 | 992 | " the root certificates used by Fossil when it is acting as a SSL\n" |
| 987 | - " client. If specified, these alternative locations override\n" | |
| 988 | - " the built-in locations.\n\n" | |
| 993 | + " client. If specified, these alternative locations take top\n" | |
| 994 | + " priority.\n\n" | |
| 995 | + ); | |
| 996 | + } | |
| 997 | + | |
| 998 | + zValue = db_get("ssl-ca-location",""); | |
| 999 | + trust_location_usable(zValue, &zUsed); | |
| 1000 | + fossil_print(" ssl-ca-location: %s\n", zValue); | |
| 1001 | + if( verbose ){ | |
| 1002 | + fossil_print("\n" | |
| 1003 | + " This setting is the name of a file or directory that contains\n" | |
| 1004 | + " the complete set of root certificates used by Fossil when it\n" | |
| 1005 | + " is acting as a SSL client. If defined, this setting takes\n" | |
| 1006 | + " priority over built-in paths.\n\n" | |
| 989 | 1007 | ); |
| 990 | 1008 | } |
| 1009 | + | |
| 991 | 1010 | |
| 992 | 1011 | zValue = X509_get_default_cert_file(); |
| 993 | 1012 | trust_location_usable(zValue, &zUsed); |
| 994 | 1013 | fossil_print(" OpenSSL-cert-file: %s\n", zValue); |
| 995 | 1014 | zValue = X509_get_default_cert_dir(); |
| 996 | 1015 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -248,49 +248,67 @@ | |
| 248 | /* |
| 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | ** This routine does initial configuration of the SSL module. |
| 251 | */ |
| 252 | static void ssl_global_init_client(void){ |
| 253 | const char *zCaSetting = 0; |
| 254 | const char *identityFile; |
| 255 | |
| 256 | if( sslIsInit==0 ){ |
| 257 | SSL_library_init(); |
| 258 | SSL_load_error_strings(); |
| 259 | OpenSSL_add_all_algorithms(); |
| 260 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 261 | /* Disable SSLv2 and SSLv3 */ |
| 262 | SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
| 263 | |
| 264 | /* Set up acceptable CA root certificates */ |
| 265 | zCaSetting = db_get("ssl-ca-location", 0); |
| 266 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 267 | /* CA location not specified, use platform's default certificate store */ |
| 268 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 269 | }else{ |
| 270 | /* User has specified a CA location, make sure it exists and use it */ |
| 271 | const char *zCaFile = 0; |
| 272 | const char *zCaDirectory = 0; |
| 273 | switch( file_isdir(zCaSetting, ExtFILE) ){ |
| 274 | case 0: { /* doesn't exist */ |
| 275 | fossil_fatal("ssl-ca-location is set to '%s', " |
| 276 | "but is not a file or directory", zCaSetting); |
| 277 | break; |
| 278 | } |
| 279 | case 1: { /* directory */ |
| 280 | zCaDirectory = zCaSetting; |
| 281 | break; |
| 282 | } |
| 283 | case 2: { /* file */ |
| 284 | zCaFile = zCaSetting; |
| 285 | break; |
| 286 | } |
| 287 | } |
| 288 | if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 289 | fossil_fatal("Failed to use CA root certificates from " |
| 290 | "ssl-ca-location '%s'", zCaSetting); |
| 291 | } |
| 292 | } |
| 293 | |
| 294 | /* Load client SSL identity, preferring the filename specified on the |
| 295 | ** command line */ |
| 296 | if( g.zSSLIdentity!=0 ){ |
| @@ -954,22 +972,10 @@ | |
| 954 | " later is recommended.\n\n" |
| 955 | ); |
| 956 | } |
| 957 | |
| 958 | fossil_print("Trust store location\n"); |
| 959 | zValue = db_get("ssl-ca-location",""); |
| 960 | trust_location_usable(zValue, &zUsed); |
| 961 | fossil_print(" ssl-ca-location: %s\n", zValue); |
| 962 | if( verbose ){ |
| 963 | fossil_print("\n" |
| 964 | " This setting is the name of a file or directory that contains\n" |
| 965 | " the complete set of root certificates used by Fossil when it\n" |
| 966 | " is acting as a SSL client. If defined, this setting takes\n" |
| 967 | " priority over built-in paths and environment variables\n\n" |
| 968 | ); |
| 969 | } |
| 970 | |
| 971 | zName = X509_get_default_cert_file_env(); |
| 972 | zValue = fossil_getenv(zName); |
| 973 | if( zValue==0 ) zValue = ""; |
| 974 | trust_location_usable(zValue, &zUsed); |
| 975 | nName = strlen(zName); |
| @@ -982,14 +988,27 @@ | |
| 982 | fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); |
| 983 | if( verbose ){ |
| 984 | fossil_print("\n" |
| 985 | " Environment variables that determine alternative locations for\n" |
| 986 | " the root certificates used by Fossil when it is acting as a SSL\n" |
| 987 | " client. If specified, these alternative locations override\n" |
| 988 | " the built-in locations.\n\n" |
| 989 | ); |
| 990 | } |
| 991 | |
| 992 | zValue = X509_get_default_cert_file(); |
| 993 | trust_location_usable(zValue, &zUsed); |
| 994 | fossil_print(" OpenSSL-cert-file: %s\n", zValue); |
| 995 | zValue = X509_get_default_cert_dir(); |
| 996 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -248,49 +248,67 @@ | |
| 248 | /* |
| 249 | ** Call this routine once before any other use of the SSL interface. |
| 250 | ** This routine does initial configuration of the SSL module. |
| 251 | */ |
| 252 | static void ssl_global_init_client(void){ |
| 253 | const char *identityFile; |
| 254 | |
| 255 | if( sslIsInit==0 ){ |
| 256 | const char *zFile; |
| 257 | const char *zCaFile = 0; |
| 258 | const char *zCaDirectory = 0; |
| 259 | int i; |
| 260 | |
| 261 | SSL_library_init(); |
| 262 | SSL_load_error_strings(); |
| 263 | OpenSSL_add_all_algorithms(); |
| 264 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 265 | /* Disable SSLv2 and SSLv3 */ |
| 266 | SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
| 267 | |
| 268 | /* Find the trust store */ |
| 269 | zFile = 0; |
| 270 | for(i=0; zFile==0 && i<5; i++){ |
| 271 | switch( i ){ |
| 272 | case 0: /* First priority is environmentn variables */ |
| 273 | zFile = fossil_getenv(X509_get_default_cert_file_env()); |
| 274 | break; |
| 275 | case 1: |
| 276 | zFile = fossil_getenv(X509_get_default_cert_dir_env()); |
| 277 | break; |
| 278 | case 2: |
| 279 | zFile = db_get("ssl-ca-location",0); |
| 280 | break; |
| 281 | case 3: |
| 282 | zFile = X509_get_default_cert_file(); |
| 283 | break; |
| 284 | case 4: |
| 285 | zFile = X509_get_default_cert_dir(); |
| 286 | break; |
| 287 | } |
| 288 | if( zFile==0 ) continue; |
| 289 | switch( file_isdir(zFile, ExtFILE) ){ |
| 290 | case 0: { /* doesn't exist */ |
| 291 | zFile = 0; |
| 292 | break; |
| 293 | } |
| 294 | case 1: { /* directory */ |
| 295 | zCaFile = 0; |
| 296 | zCaDirectory = zFile; |
| 297 | break; |
| 298 | } |
| 299 | case 2: { /* file */ |
| 300 | zCaFile = zFile; |
| 301 | zCaDirectory = 0; |
| 302 | break; |
| 303 | } |
| 304 | } |
| 305 | } |
| 306 | if( zFile==0 ){ |
| 307 | /* fossil_fatal("Cannot find a trust store"); */ |
| 308 | }else if( SSL_CTX_load_verify_locations(sslCtx, zCaFile, zCaDirectory)==0 ){ |
| 309 | fossil_fatal("Cannot load CA root certificates from %s", zFile); |
| 310 | } |
| 311 | |
| 312 | /* Load client SSL identity, preferring the filename specified on the |
| 313 | ** command line */ |
| 314 | if( g.zSSLIdentity!=0 ){ |
| @@ -954,22 +972,10 @@ | |
| 972 | " later is recommended.\n\n" |
| 973 | ); |
| 974 | } |
| 975 | |
| 976 | fossil_print("Trust store location\n"); |
| 977 | zName = X509_get_default_cert_file_env(); |
| 978 | zValue = fossil_getenv(zName); |
| 979 | if( zValue==0 ) zValue = ""; |
| 980 | trust_location_usable(zValue, &zUsed); |
| 981 | nName = strlen(zName); |
| @@ -982,14 +988,27 @@ | |
| 988 | fossil_print(" %s:%*s%s\n", zName, 19-nName, "", zValue); |
| 989 | if( verbose ){ |
| 990 | fossil_print("\n" |
| 991 | " Environment variables that determine alternative locations for\n" |
| 992 | " the root certificates used by Fossil when it is acting as a SSL\n" |
| 993 | " client. If specified, these alternative locations take top\n" |
| 994 | " priority.\n\n" |
| 995 | ); |
| 996 | } |
| 997 | |
| 998 | zValue = db_get("ssl-ca-location",""); |
| 999 | trust_location_usable(zValue, &zUsed); |
| 1000 | fossil_print(" ssl-ca-location: %s\n", zValue); |
| 1001 | if( verbose ){ |
| 1002 | fossil_print("\n" |
| 1003 | " This setting is the name of a file or directory that contains\n" |
| 1004 | " the complete set of root certificates used by Fossil when it\n" |
| 1005 | " is acting as a SSL client. If defined, this setting takes\n" |
| 1006 | " priority over built-in paths.\n\n" |
| 1007 | ); |
| 1008 | } |
| 1009 | |
| 1010 | |
| 1011 | zValue = X509_get_default_cert_file(); |
| 1012 | trust_location_usable(zValue, &zUsed); |
| 1013 | fossil_print(" OpenSSL-cert-file: %s\n", zValue); |
| 1014 | zValue = X509_get_default_cert_dir(); |
| 1015 |