Fossil SCM
Client side verification of SSL server certificates should use system wide default CAs
Fixed
f696bc85f8b91d2…
· opened 15 years, 8 months ago
- Type
- Feature_Request
- Priority
- —
- Severity
- Minor
- Resolution
- Fixed
- Subsystem
- —
- Created
- July 14, 2010 2:50 p.m.
Most installations of OpenSSL come with a system wide directory of default certificate authorities and most applications using OpenSSL make use of this certificate store during server certificate verification, which is handy because a system administrator only has to manage one central store of acceptable certificate authorities.
Fossil presently doesn't use the system wide CA certificate store, but I think it should :-) The necessary change is only one line of code:
Index: src/http_ssl.c
===================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -90,10 +90,11 @@
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
sslCtx = SSL_CTX_new(SSLv23_client_method());
+ X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx));
sslIsInit = 1;
}
}
/*