Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Improved documentation for server-side SSL settings. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | ssl-server |
Files: | files | file ages | folders |
SHA3-256: |
f81d64cace5e5335a135e30e92b8dba4 |
User & Date: | drh 2021-12-27 17:13:19 |
Context
2021-12-27
| ||
21:43 | Sanitize the pathname on the /.well-known webpage. Forum post ba46d8e333. ... (check-in: b265013b user: drh tags: ssl-server) | |
17:13 | Improved documentation for server-side SSL settings. ... (check-in: f81d64ca user: drh tags: ssl-server) | |
17:01 | Enable access to the ".well-known" subdirectory, to facilitate ACME. ... (check-in: 6d447b86 user: drh tags: ssl-server) | |
Changes
Changes to src/db.c.
︙ | ︙ | |||
4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 | ** "Anonymous" in e.g. ticketing system. On the other hand ** users can not be deleted. */ /* ** SETTING: ssh-command width=40 sensitive ** The command used to talk to a remote machine with the "ssh://" protocol. */ /* ** SETTING: ssl-ca-location width=40 sensitive ** The full pathname to a file containing PEM encoded ** CA root certificates, or a directory of certificates ** with filenames formed from the certificate hashes as ** required by OpenSSL. ** ** If set, this will override the OS default list of ** OpenSSL CAs. If unset, the default list will be used. ** Some platforms may add additional certificates. ** Checking your platform behaviour is required if the ** exact contents of the CA root is critical for your ** application. */ /* ** SETTING: ssl-identity width=40 sensitive ** The full pathname to a file containing a certificate ** and private key in PEM format. Create by concatenating ** the certificate and private key files. ** ** This identity will be presented to SSL servers to ** authenticate this client, in addition to the normal ** password authentication. */ #ifdef FOSSIL_ENABLE_TCL /* ** SETTING: tcl boolean default=off sensitive ** If enabled Tcl integration commands will be added to the TH1 ** interpreter, allowing arbitrary Tcl expressions and ** scripts to be evaluated from TH1. Additionally, the Tcl ** interpreter will be able to evaluate arbitrary TH1 | > > > > > > > > > > > > > > > > > > > > > > > > > > > | 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 | ** "Anonymous" in e.g. ticketing system. On the other hand ** users can not be deleted. */ /* ** SETTING: ssh-command width=40 sensitive ** The command used to talk to a remote machine with the "ssh://" protocol. */ /* ** SETTING: ssl-acme boolean default=off ** If true, allow web pages with a path of "/.well-known/..." to retrieve ** files stored in the ".well-known" subdirectory in the same directory as ** the repository. This is needed by tools such as "certbot" to verify a ** certificate signing request. */ /* ** SETTING: ssl-ca-location width=40 sensitive ** The full pathname to a file containing PEM encoded ** CA root certificates, or a directory of certificates ** with filenames formed from the certificate hashes as ** required by OpenSSL. ** ** If set, this will override the OS default list of ** OpenSSL CAs. If unset, the default list will be used. ** Some platforms may add additional certificates. ** Checking your platform behaviour is required if the ** exact contents of the CA root is critical for your ** application. */ /* ** SETTING: ssl-cert width=40 block-text sensitive ** The text of SSL server certificate and private key used by commands ** like "fossil server". The text should be in the PEM format. Use ** the "fossil ssl-config load-certs" command to change this setting. */ /* ** SETTING: ssl-cert-file width=40 sensitive ** The name of a file that contains the SSL server certificate, or ** optionally the concatenation of the certificate and private key, ** for use by Fossil when it is acting as a server. If this file ** contains only the certificate, then the ssl-key-file setting must ** contain the name of a file containing the private key. */ /* ** SETTING: ssl-identity width=40 sensitive ** The full pathname to a file containing a certificate ** and private key in PEM format. Create by concatenating ** the certificate and private key files. ** ** This identity will be presented to SSL servers to ** authenticate this client, in addition to the normal ** password authentication. */ /* ** SETTING: ssl-key-file width=40 sensitive ** The name of a file that contains the SSL server certificate private ** key. Used in combination with "ssl-cert-file". */ #ifdef FOSSIL_ENABLE_TCL /* ** SETTING: tcl boolean default=off sensitive ** If enabled Tcl integration commands will be added to the TH1 ** interpreter, allowing arbitrary Tcl expressions and ** scripts to be evaluated from TH1. Additionally, the Tcl ** interpreter will be able to evaluate arbitrary TH1 |
︙ | ︙ |
Changes to src/http_ssl.c.
︙ | ︙ | |||
1099 1100 1101 1102 1103 1104 1105 | ); } fossil_print("ssl-acme: %s\n", db_get_boolean("ssl-acme",0) ? "on" : "off"); if( verbose ){ fossil_print("\n" | | | 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 | ); } fossil_print("ssl-acme: %s\n", db_get_boolean("ssl-acme",0) ? "on" : "off"); if( verbose ){ fossil_print("\n" " This setting enables web access to files in the \".well-known\"\n" " subdirectory in the same directory as the repository. Such access\n" " is required to obtain a certificate from services like\n" " \"Let's Encrypt\" using the tools like \"certbot\".\n\n" ); } zValue = db_get("ssl-cert",0); |
︙ | ︙ |