serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option
Date Fri, 24 Jun 2016 13:05:16 GMT

    [ https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348228#comment-15348228
] 

Michael Osipov edited comment on SERF-179 at 6/24/16 1:04 PM:
--------------------------------------------------------------

Just checked the function and it uses {{X509_STORE_set_default_paths}} and it seems like that
this function is not publically documented in manmaster of OpenSSL.

Something seems to be fishly here. I will try with serf from trunk and {{strace}} whether
an {{fopen}} is really performed to that file. There must be some reason why Subversion tells
me that it does not trust my cert. Though, I would swap the internal X509 with [{{SSL_CTX_set_default_verify_paths}}|https://github.com/openssl/openssl/blob/f430ba31ac81f27f0014320fee335d2dc4562a95/ssl/ssl_lib.c#L3351-L3353].

I will get back to you as soon as possible.


was (Author: michael-o):
Just checked the function and it uses {{X509_STORE_set_default_paths}} and it seems like that
this function is not publically documented in manmaster of OpenSSL.

Something seems to be fishly here. I will try with serf from trunk and {{strace}} whether
an {{fopen}} is really performed to that file. There must be some reason why Subversion tells
me that it does not trust my cert. Though, I would swap the internal X509 with [{{SSL_CTX_set_default_verify_paths}}](https://github.com/openssl/openssl/blob/f430ba31ac81f27f0014320fee335d2dc4562a95/ssl/ssl_lib.c#L3351-L3353).

I will get back to you as soon as possible.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
>                 Key: SERF-179
>                 URL: https://issues.apache.org/jira/browse/SERF-179
>             Project: serf
>          Issue Type: Improvement
>    Affects Versions: serf-1.3.8
>            Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with CAs. Subversion
always nags whether the target host can be trusted. This is annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and {{SERF_CA_FALLBACK}}.
This can be safely fed into {{SSL_CTX_load_verify_locations(3)}} and {{SSL_CTX_set_default_verify_paths(3)}}.
[OpenSSL reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message