mark benedetto king wrote:
> On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
>
>> ne_ssl_load_ca(sess, authorities_file);
>> ne_ssl_load_ca(sess2, authorities_file);
>> }
>>+ else
>>+ {
>>+ ne_ssl_load_default_ca(sess);
>>+ ne_ssl_load_default_ca(sess2);
>>+ }
>>
>
> I think that whether-or-not to load the default ca info is orthogonal
> to whether-or-not to load some user specific ca info, and thus deserves its
> own config option. All four permutations are reasonable, IMO.
I did add a new boolean config option at first (ssl-system-authorities),
but I decided that I did not like it because I figured that the default
value would need to change depending on whether ssl-authorities-file was
used or not.
How about the following solution? It will load the system CAs if
ssl-authorities-file is not used, but not if ssl-authorities-file is
used. You can get around that by prefixing the filename with a plus (+).
I think that covers all cases. If you want to disable all CAs, you can
point ssl-authorities-file to an empty file.
Example 1:
# Add our own CAs to the default ones
ssl-authorities-file = +/etc/my-CAs.pem
Example 2:
# Only permit our own CAs:
ssl-authorities-file = /etc/my-CAs.pem
I've attached the new patch. It applies to trunk rev 6521. Here is the
log entry:
* subversion/libsvn_subr/config_file.c (svn_config_ensure):
Explain the meaning of the + prefix for ssl-authorities-file
in the default server config file.
* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
Load the system default CAs by default, but not if
ssl-authorities-file is used, unless the filename is
prefixed by a plus (+).
/Tobias
Index: subversion/libsvn_subr/config_file.c
===================================================================
--- subversion/libsvn_subr/config_file.c (revision 6521)
+++ subversion/libsvn_subr/config_file.c (working copy)
@@ -850,7 +850,9 @@
"### 'ssl-authorities-file' points to the location of the file\n"
"### containing a list of known and trusted SSL Certificate \n"
"### Authorities (CAs). See details above for overriding security\n"
- "### issues due to SSL\n"
+ "### issues due to SSL. By default, the specified CAs will replace\n"
+ "### the default CAs. If the filename is prefixed by a plus (+),\n"
+ "### the specifed CAs will be loaded in addition to the default CAs.\n"
"# [global]\n"
"# http-proxy-exceptions = *.exception.com, www.internal-site.org\n"
"# http-proxy-host = defaultproxy.whatever.com\n"
@@ -860,7 +862,7 @@
"# http-compression = yes\n"
"# No http-timeout, so just use the builtin default.\n"
"# No neon-debug-mask, so neon debugging is disabled.\n"
- "# ssl-authorities-file = /path/to/CAcerts.pem\n";
+ "# ssl-authorities-file = +/path/to/CAcerts.pem\n";
apr_err = apr_file_open (&f, path,
(APR_WRITE | APR_CREATE | APR_EXCL),
Index: subversion/libsvn_ra_dav/session.c
===================================================================
--- subversion/libsvn_ra_dav/session.c (revision 6521)
+++ subversion/libsvn_ra_dav/session.c (working copy)
@@ -603,6 +603,7 @@
if (is_ssl_session)
{
const char *authorities_file;
+ svn_boolean_t load_default_ca = TRUE;
authorities_file = svn_config_get_server_setting(
cfg, server_group,
SVN_CONFIG_OPTION_SSL_AUTHORITIES_FILE,
@@ -610,10 +611,20 @@
if (authorities_file != NULL)
{
+ if (authorities_file[0] == '+')
+ authorities_file++;
+ else
+ load_default_ca = FALSE;
ne_ssl_load_ca(sess, authorities_file);
ne_ssl_load_ca(sess2, authorities_file);
}
+ if (load_default_ca)
+ {
+ ne_ssl_load_default_ca(sess);
+ ne_ssl_load_default_ca(sess2);
+ }
+
/* When the CA certificate or server certificate has
verification problems, neon will call our verify function before
outright rejection of the connection.*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 21 19:18:34 2003