Fossil Forum

New feature: TLS exception y/N/fingerprint

New feature: TLS exception y/N/fingerprint

(1) By anonymous on 2021-10-11 12:13:57 [source]

New versions of SSH allow upon connecting to a new host a third option in addition to yes and no: fingerprint. The fingerprint option allows one to simply paste the fingerprint of the remote host instead of having to compare it by hand. Here is a simple patch for fossil to allow the same when a TLS certificate cannot be verified automatically:

Index: src/http_ssl.c
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -379,24 +379,25 @@
       X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
       BIO_printf(mem, "\n  sha256:  %s", zHash);
       desclen = BIO_get_mem_data(mem, &desc);
       prompt = mprintf("Unable to verify SSL cert from %s\n%.*s\n"
-          "accept this cert and continue (y/N)? ",
+          "accept this cert and continue (y/N/fingerprint)? ",
           pUrlData->name, desclen, desc);
       prompt_user(prompt, &ans);
       cReply = blob_str(&ans)[0];
-      blob_reset(&ans);
-      if( cReply!='y' && cReply!='Y' ){
+      if( cReply!='y' && cReply!='Y' && fossil_stricmp(blob_str(&ans),zHash)!=0 ){
         ssl_set_errmsg("SSL cert declined");
+        blob_reset(&ans);
         return 1;
+      blob_reset(&ans);
       ssl_one_time_exception(pUrlData, zHash);
       prompt_user("remember this exception (y/N)? ", &ans);
       cReply = blob_str(&ans)[0];
       if( cReply=='y' || cReply=='Y') {

(2) By sean (jungleboogie) on 2021-10-13 14:00:08 in reply to 1 [link] [source]