[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348206#comment-15348206
 ] 

Bert Huijben commented on SERF-179:
-----------------------------------

An application can call serf_ssl_use_default_certificates() (as Subversion 
does, unless you explicitly configure in its config file that it shouldn't). 
This makes serf ask OpenSSL to use the default config, that should have been 
configured by the platform maintainer.

I'm not a platform maintainer, but if I was one I would rather configure this 
once for OpenSSL, than separately for every application that uses openssl.

On FreeBSD the 'ca_root_nss' package maintains a set of root certificates in a 
way that they are directly handled by OpenSSL, and -via that path- Subversion.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -----------------------------------------------------
>
>                 Key: SERF-179
>                 URL: https://issues.apache.org/jira/browse/SERF-179
>             Project: serf
>          Issue Type: Improvement
>    Affects Versions: serf-1.3.8
>            Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to