Fossil

Check-in [f81d64ca]
Login

Check-in [f81d64ca]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improved documentation for server-side SSL settings.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | ssl-server
Files: files | file ages | folders
SHA3-256: f81d64cace5e5335a135e30e92b8dba433655119a71a4dd88c7e3c60ab221fe0
User & Date: drh 2021-12-27 17:13:19
Context
2021-12-27
21:43
Sanitize the pathname on the /.well-known webpage. Forum post ba46d8e333. ... (check-in: b265013b user: drh tags: ssl-server)
17:13
Improved documentation for server-side SSL settings. ... (check-in: f81d64ca user: drh tags: ssl-server)
17:01
Enable access to the ".well-known" subdirectory, to facilitate ACME. ... (check-in: 6d447b86 user: drh tags: ssl-server)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/db.c.

4261
4262
4263
4264
4265
4266
4267








4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281














4282
4283
4284
4285
4286
4287
4288
4289
4290
4291





4292
4293
4294
4295
4296
4297
4298
** "Anonymous" in e.g. ticketing system. On the other hand
** users can not be deleted.
*/
/*
** SETTING: ssh-command      width=40 sensitive
** The command used to talk to a remote machine with  the "ssh://" protocol.
*/








/*
** SETTING: ssl-ca-location  width=40 sensitive
** The full pathname to a file containing PEM encoded
** CA root certificates, or a directory of certificates
** with filenames formed from the certificate hashes as
** required by OpenSSL.
**
** If set, this will override the OS default list of
** OpenSSL CAs. If unset, the default list will be used.
** Some platforms may add additional certificates.
** Checking your platform behaviour is required if the
** exact contents of the CA root is critical for your
** application.
*/














/*
** SETTING: ssl-identity     width=40 sensitive
** The full pathname to a file containing a certificate
** and private key in PEM format. Create by concatenating
** the certificate and private key files.
**
** This identity will be presented to SSL servers to
** authenticate this client, in addition to the normal
** password authentication.
*/





#ifdef FOSSIL_ENABLE_TCL
/*
** SETTING: tcl              boolean default=off sensitive
** If enabled Tcl integration commands will be added to the TH1
** interpreter, allowing arbitrary Tcl expressions and
** scripts to be evaluated from TH1.  Additionally, the Tcl
** interpreter will be able to evaluate arbitrary TH1







>
>
>
>
>
>
>
>














>
>
>
>
>
>
>
>
>
>
>
>
>
>










>
>
>
>
>







4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
** "Anonymous" in e.g. ticketing system. On the other hand
** users can not be deleted.
*/
/*
** SETTING: ssh-command      width=40 sensitive
** The command used to talk to a remote machine with  the "ssh://" protocol.
*/

/*
** SETTING: ssl-acme         boolean default=off
** If true, allow web pages with a path of "/.well-known/..." to retrieve
** files stored in the ".well-known" subdirectory in the same directory as
** the repository.  This is needed by tools such as "certbot" to verify a
** certificate signing request.
*/
/*
** SETTING: ssl-ca-location  width=40 sensitive
** The full pathname to a file containing PEM encoded
** CA root certificates, or a directory of certificates
** with filenames formed from the certificate hashes as
** required by OpenSSL.
**
** If set, this will override the OS default list of
** OpenSSL CAs. If unset, the default list will be used.
** Some platforms may add additional certificates.
** Checking your platform behaviour is required if the
** exact contents of the CA root is critical for your
** application.
*/
/*
** SETTING: ssl-cert          width=40 block-text sensitive
** The text of SSL server certificate and private key used by commands
** like "fossil server".  The text should be in the PEM format.  Use
** the "fossil ssl-config load-certs" command to change this setting.
*/
/*
** SETTING: ssl-cert-file     width=40 sensitive
** The name of a file that contains the SSL server certificate, or
** optionally the concatenation of the certificate and private key,
** for use by Fossil when it is acting as a server.  If this file
** contains only the certificate, then the ssl-key-file setting must
** contain the name of a file containing the private key.
*/
/*
** SETTING: ssl-identity     width=40 sensitive
** The full pathname to a file containing a certificate
** and private key in PEM format. Create by concatenating
** the certificate and private key files.
**
** This identity will be presented to SSL servers to
** authenticate this client, in addition to the normal
** password authentication.
*/
/*
** SETTING: ssl-key-file     width=40 sensitive
** The name of a file that contains the SSL server certificate private
** key.  Used in combination with "ssl-cert-file".
*/
#ifdef FOSSIL_ENABLE_TCL
/*
** SETTING: tcl              boolean default=off sensitive
** If enabled Tcl integration commands will be added to the TH1
** interpreter, allowing arbitrary Tcl expressions and
** scripts to be evaluated from TH1.  Additionally, the Tcl
** interpreter will be able to evaluate arbitrary TH1

Changes to src/http_ssl.c.

1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
      );
    }

    fossil_print("ssl-acme:          %s\n",
           db_get_boolean("ssl-acme",0) ? "on" : "off");
    if( verbose ){
      fossil_print("\n"
         "  This setting enables web access to files in the \".well-known\""
         "  subdirectory in the same directory as the repository. Such access\n"
         "  is required to obtain a certificate from services like\n"
         "  \"Let's Encrypt\" using the tools like \"certbot\".\n\n"
      );
    }

    zValue = db_get("ssl-cert",0);







|







1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
      );
    }

    fossil_print("ssl-acme:          %s\n",
           db_get_boolean("ssl-acme",0) ? "on" : "off");
    if( verbose ){
      fossil_print("\n"
         "  This setting enables web access to files in the \".well-known\"\n"
         "  subdirectory in the same directory as the repository. Such access\n"
         "  is required to obtain a certificate from services like\n"
         "  \"Let's Encrypt\" using the tools like \"certbot\".\n\n"
      );
    }

    zValue = db_get("ssl-cert",0);