[ https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348270#comment-15348270
]
Michael Osipov commented on SERF-179:
-------------------------------------
I just tried tag 1.3.8 from trunk and Subversion 1.9.3 from ports. Yes, default PEM file is
loaded and the file from {{servers}} ({{ssl-authority-files = /usr/local/share/certs/ca-root-nss.crt}})
but Subversion still nags me about the invalid certificate. Even {{ssl-trust-default-ca =
yes}} does not help.
Shall I close this issue and create new one with serf or mail users@subversion.a.o? I can
provide {{truss}} output for both cases.
> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
> Issue Type: Improvement
> Affects Versions: serf-1.3.8
> Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with CAs. Subversion
always nags whether the target host can be trusted. This is annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}}, {{SERF_CA_PATH}} and {{SERF_CA_FALLBACK}}.
This can be safely fed into {{SSL_CTX_load_verify_locations(3)}} and {{SSL_CTX_set_default_verify_paths(3)}}.
[OpenSSL reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
|