You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@serf.apache.org by "Bert Huijben (JIRA)" <ji...@apache.org> on 2016/06/24 09:45:16 UTC

[jira] [Commented] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

    [ https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348073#comment-15348073 ] 

Bert Huijben commented on SERF-179:
-----------------------------------

I don't think we should require recompiling to change settings like these. We already have apis for changing these so applications can expose these options in their config file. We also have a function to enable loading the OpenSSL (or other SSL implementation if you choose) default CA settings.

Applications like Subversion already use these features. 

And at least FreeBSD and Ubuntu (including Ubuntu on Windows) configure Subversion that I don't have to accept servers manually using their managed lists using the current support.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
>                 Key: SERF-179
>                 URL: https://issues.apache.org/jira/browse/SERF-179
>             Project: serf
>          Issue Type: Improvement
>    Affects Versions: serf-1.3.8
>            Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with CAs. Subversion always nags whether the target host can be trusted. This is annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and {{SERF_CA_FALLBACK}}. This can be safely fed into {{SSL_CTX_load_verify_locations(3)}} and {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)