serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option
Date Fri, 24 Jun 2016 09:46:16 GMT

    [ https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348073#comment-15348073
] 

Bert Huijben edited comment on SERF-179 at 6/24/16 9:46 AM:
------------------------------------------------------------

I don't think we should require recompiling to change settings like these. We already have
apis, for applying these settings so applications can expose these options in their own config
file. We also have a function to enable loading the OpenSSL (or other SSL implementation if
you choose) default CA settings.

Applications like Subversion already use these features. 

And at least FreeBSD and Ubuntu (including Ubuntu on Windows) configure Subversion that I
don't have to accept servers manually using their managed lists using the current support.


was (Author: rhuijben):
I don't think we should require recompiling to change settings like these. We already have
apis for changing these so applications can expose these options in their config file. We
also have a function to enable loading the OpenSSL (or other SSL implementation if you choose)
default CA settings.

Applications like Subversion already use these features. 

And at least FreeBSD and Ubuntu (including Ubuntu on Windows) configure Subversion that I
don't have to accept servers manually using their managed lists using the current support.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
>                 Key: SERF-179
>                 URL: https://issues.apache.org/jira/browse/SERF-179
>             Project: serf
>          Issue Type: Improvement
>    Affects Versions: serf-1.3.8
>            Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with CAs. Subversion
always nags whether the target host can be trusted. This is annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and {{SERF_CA_FALLBACK}}.
This can be safely fed into {{SSL_CTX_load_verify_locations(3)}} and {{SSL_CTX_set_default_verify_paths(3)}}.
[OpenSSL reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message