New feature: TLS exception y/N/fingerprint
(1) By anonymous on 2021-10-11 12:13:57 [source]
New versions of SSH allow upon connecting to a new host a third option in addition to yes and no: fingerprint. The fingerprint option allows one to simply paste the fingerprint of the remote host instead of having to compare it by hand. Here is a simple patch for fossil to allow the same when a TLS certificate cannot be verified automatically:
Index: src/http_ssl.c
==================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -379,24 +379,25 @@
X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
BIO_printf(mem, "\n sha256: %s", zHash);
desclen = BIO_get_mem_data(mem, &desc);
prompt = mprintf("Unable to verify SSL cert from %s\n%.*s\n"
- "accept this cert and continue (y/N)? ",
+ "accept this cert and continue (y/N/fingerprint)? ",
pUrlData->name, desclen, desc);
BIO_free(mem);
prompt_user(prompt, &ans);
free(prompt);
cReply = blob_str(&ans)[0];
- blob_reset(&ans);
- if( cReply!='y' && cReply!='Y' ){
+ if( cReply!='y' && cReply!='Y' && fossil_stricmp(blob_str(&ans),zHash)!=0 ){
X509_free(cert);
ssl_set_errmsg("SSL cert declined");
ssl_close();
+ blob_reset(&ans);
return 1;
}
+ blob_reset(&ans);
ssl_one_time_exception(pUrlData, zHash);
prompt_user("remember this exception (y/N)? ", &ans);
cReply = blob_str(&ans)[0];
if( cReply=='y' || cReply=='Y') {
db_open_config(0,0);
(2) By sean (jungleboogie) on 2021-10-13 14:00:08 in reply to 1 [link] [source]
Implemented in https://fossil-scm.org/home/info/48a860f658cbf7f9