serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option
Date Fri, 24 Jun 2016 12:42:16 GMT

    [ https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348206#comment-15348206
] 

Bert Huijben edited comment on SERF-179 at 6/24/16 12:42 PM:
-------------------------------------------------------------

An application can call serf_ssl_use_default_certificates() (as Subversion does, unless you
explicitly configure in its config file that it shouldn't). This makes serf ask OpenSSL to
use the default config, that should have been configured by the platform maintainer.

I'm not a platform maintainer, but if I was one I would rather configure this once for OpenSSL,
than separately for every application that uses openssl.

On FreeBSD the 'ca_root_nss' package maintains a set of root certificates in a way that they
are directly handled by OpenSSL, and via that path Subversion.


was (Author: rhuijben):
An application can call serf_ssl_use_default_certificates() (as Subversion does, unless you
explicitly configure in its config file that it shouldn't). This makes serf ask OpenSSL to
use the default config, that should have been configured by the platform maintainer.

I'm not a platform maintainer, but if I was one I would rather configure this once for OpenSSL,
than separately for every application that uses openssl.

On FreeBSD the 'ca_root_nss' package maintains a set of root certificates in a way that they
are directly handled by OpenSSL, and -via that path- Subversion.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
>                 Key: SERF-179
>                 URL: https://issues.apache.org/jira/browse/SERF-179
>             Project: serf
>          Issue Type: Improvement
>    Affects Versions: serf-1.3.8
>            Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with CAs. Subversion
always nags whether the target host can be trusted. This is annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and {{SERF_CA_FALLBACK}}.
This can be safely fed into {{SSL_CTX_load_verify_locations(3)}} and {{SSL_CTX_set_default_verify_paths(3)}}.
[OpenSSL reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message