rpms/elinks
6
0
Fork 0
Code Issues Pull Requests Releases Activity

support for trusted CA certificates loading from file in PEM format

Browse Source
This commit is contained in:
Kamil Dudka 2009-04-28 11:46:48 +00:00
parent e4a56895d1
commit e07f7e3e6e
3 changed files with 90 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
elinks-nss-inc.patch Normal file
View File

@ -0,0 +1,58 @@
diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
--- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-28 13:12:19.365660000 +0200
+++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-28 13:26:39.287600358 +0200
@@ -48,10 +48,16 @@ SSL_CTX *context = NULL;
static void
init_openssl(struct module *module)
{
+ unsigned char *ca_file;
SSLeay_add_ssl_algorithms();
context = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(context, SSL_OP_ALL);
+#ifdef CONFIG_NSS_COMPAT_OSSL
+ ca_file = get_opt_str("connection.ssl.trusted_ca_file");
+ SSL_CTX_load_verify_locations(context, ca_file, NULL);
+#else
SSL_CTX_set_default_verify_paths(context);
+#endif
}
static void
@@ -61,10 +67,27 @@ done_openssl(struct module *module)
}
static struct option_info openssl_options[] = {
+#ifdef CONFIG_NSS_COMPAT_OSSL
+ INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
+ "cert_verify", 0, 0,
+ N_("Verify the peer's SSL certificate.")),
+
+ INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
+ "trusted_ca_file", 0, "/etc/pki/tls/certs/ca-bundle.crt",
+ N_("The location of a file containing certificates of "
+ "trusted certification authorities in PEM format. "
+ "ELinks then trusts certificates issued by these CAs.\n"
+ "\n"
+ "If you change this option or the file, you must "
+ "restart ELinks for the changes to take effect. "
+ "This option affects GnuTLS and nss_compat_ossl but not "
+ "OpenSSL.")),
+#else
INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
"cert_verify", 0, 0,
N_("Verify the peer's SSL certificate. Note that this "
"needs extensive configuration of OpenSSL by the user.")),
+#endif
INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
"client_cert", OPT_SORT,
@@ -187,7 +210,8 @@ static struct option_info gnutls_options
"\n"
"If you change this option or the file, you must "
"restart ELinks for the changes to take effect. "
- "This option affects GnuTLS but not OpenSSL.")),
+ "This option affects GnuTLS and nss_compat_ossl but not "
+ "OpenSSL.")),
NULL_OPTION_INFO,
};

50
elinks-nss.patch
View File

@ -1,6 +1,6 @@
diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in
--- elinks-0.12pre3.orig/configure.in 2009-04-14 13:46:26.749379000 +0200 --- elinks-0.12pre3.orig/configure.in 2009-04-28 12:19:38.816628000 +0200
+++ elinks-0.12pre3/configure.in 2009-04-14 13:47:13.702846713 +0200 +++ elinks-0.12pre3/configure.in 2009-04-28 12:56:07.343999815 +0200
@@ -1014,6 +1014,7 @@ gnutls_withval="$withval" @@ -1014,6 +1014,7 @@ gnutls_withval="$withval"
if test "$enable_gnutls" = yes; then if test "$enable_gnutls" = yes; then
@ -62,7 +62,7 @@ diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in
diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/network/ssl/socket.c diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/network/ssl/socket.c
--- elinks-0.12pre3.orig/src/network/ssl/socket.c 2009-03-29 00:14:03.000000000 +0100 --- elinks-0.12pre3.orig/src/network/ssl/socket.c 2009-03-29 00:14:03.000000000 +0100
+++ elinks-0.12pre3/src/network/ssl/socket.c 2009-04-14 13:47:13.704846733 +0200 +++ elinks-0.12pre3/src/network/ssl/socket.c 2009-04-28 13:01:02.116180177 +0200
@@ -6,6 +6,10 @@ @@ -6,6 +6,10 @@
#ifdef CONFIG_OPENSSL #ifdef CONFIG_OPENSSL
@ -153,8 +153,8 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/net
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
int err = rd; int err = rd;
diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
--- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-14 13:46:26.739379000 +0200 --- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-28 12:19:38.782627000 +0200
+++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-14 13:52:15.813854125 +0200 +++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-28 12:59:09.000000000 +0200
@@ -7,6 +7,10 @@ @@ -7,6 +7,10 @@
#ifdef CONFIG_OPENSSL #ifdef CONFIG_OPENSSL
#include <openssl/ssl.h> #include <openssl/ssl.h>
@ -175,26 +175,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
#ifndef PATH_MAX #ifndef PATH_MAX
#define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */ #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */
@@ -57,10 +61,18 @@ done_openssl(struct module *module) @@ -71,12 +75,28 @@ static struct option_info openssl_option
}
static struct option_info openssl_options[] = {
+#ifdef CONFIG_NSS_COMPAT_OSSL
+ INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
+ "cert_verify", 0, 0,
+ N_("Verify the peer's SSL certificate. The NSS database "
+ "location can be changed by SSL_DIR environment variable. "
+ "The database can be also shared with Mozilla browsers.")),
+#else
INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
"cert_verify", 0, 0,
N_("Verify the peer's SSL certificate. Note that this "
"needs extensive configuration of OpenSSL by the user.")),
+#endif
INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
"client_cert", OPT_SORT,
@@ -71,12 +83,27 @@ static struct option_info openssl_option
N_("Enable or not the sending of X509 client certificates " N_("Enable or not the sending of X509 client certificates "
"to servers which request them.")), "to servers which request them.")),
@ -205,9 +186,10 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
+ "database. If this value is unset, the nickname from " + "database. If this value is unset, the nickname from "
+ "the X509_CLIENT_CERT variable is used instead. If you " + "the X509_CLIENT_CERT variable is used instead. If you "
+ "have a PKCS#12 file containing client certificate, you " + "have a PKCS#12 file containing client certificate, you "
+ "can import it into your NSS database with: " + "can import it into your NSS database with:\n"
+ "$ pk12util -i mycert.p12 -d /path/to/database " + "\n"
+ " " + "$ pk12util -i mycert.p12 -d /path/to/database\n"
+ "\n"
+ "The NSS database location can be changed by SSL_DIR " + "The NSS database location can be changed by SSL_DIR "
+ "environment variable. The database can be also shared " + "environment variable. The database can be also shared "
+ "with Mozilla browsers.")), + "with Mozilla browsers.")),
@ -222,7 +204,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
NULL_OPTION_INFO, NULL_OPTION_INFO,
}; };
@@ -182,7 +209,7 @@ static struct module gnutls_module = str @@ -182,7 +202,7 @@ static struct module gnutls_module = str
/* done: */ done_gnutls /* done: */ done_gnutls
); );
@ -231,7 +213,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
static struct option_info ssl_options[] = { static struct option_info ssl_options[] = {
INIT_OPT_TREE("connection", N_("SSL"), INIT_OPT_TREE("connection", N_("SSL"),
@@ -193,7 +220,7 @@ static struct option_info ssl_options[] @@ -193,7 +213,7 @@ static struct option_info ssl_options[]
}; };
static struct module *ssl_modules[] = { static struct module *ssl_modules[] = {
@ -240,7 +222,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
&openssl_module, &openssl_module,
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
&gnutls_module, &gnutls_module,
@@ -214,7 +241,7 @@ struct module ssl_module = struct_module @@ -214,7 +234,7 @@ struct module ssl_module = struct_module
int int
init_ssl_connection(struct socket *socket) init_ssl_connection(struct socket *socket)
{ {
@ -249,7 +231,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
socket->ssl = SSL_new(context); socket->ssl = SSL_new(context);
if (!socket->ssl) return S_SSL_ERROR; if (!socket->ssl) return S_SSL_ERROR;
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
@@ -263,7 +290,7 @@ done_ssl_connection(struct socket *socke @@ -263,7 +283,7 @@ done_ssl_connection(struct socket *socke
ssl_t *ssl = socket->ssl; ssl_t *ssl = socket->ssl;
if (!ssl) return; if (!ssl) return;
@ -258,7 +240,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
SSL_free(ssl); SSL_free(ssl);
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
gnutls_deinit(*ssl); gnutls_deinit(*ssl);
@@ -280,7 +307,7 @@ get_ssl_connection_cipher(struct socket @@ -280,7 +300,7 @@ get_ssl_connection_cipher(struct socket
if (!init_string(&str)) return NULL; if (!init_string(&str)) return NULL;
@ -269,7 +251,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
SSL_get_cipher_version(ssl), SSL_get_cipher_version(ssl),
diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.h elinks-0.12pre3/src/network/ssl/ssl.h diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.h elinks-0.12pre3/src/network/ssl/ssl.h
--- elinks-0.12pre3.orig/src/network/ssl/ssl.h 2009-03-29 00:14:03.000000000 +0100 --- elinks-0.12pre3.orig/src/network/ssl/ssl.h 2009-03-29 00:14:03.000000000 +0100
+++ elinks-0.12pre3/src/network/ssl/ssl.h 2009-04-14 13:47:13.706846753 +0200 +++ elinks-0.12pre3/src/network/ssl/ssl.h 2009-04-28 12:56:59.000000000 +0200
@@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher @@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher
/* Internal type used in ssl module. */ /* Internal type used in ssl module. */

11
elinks.spec
View File

@ -1,6 +1,6 @@
Name: elinks Name: elinks
Summary: A text-mode Web browser Summary: A text-mode Web browser
Version: 0.12 Version: 0.13
Release: 0.12.pre3%{?dist} Release: 0.12.pre3%{?dist}
License: GPLv2 License: GPLv2
URL: http://elinks.or.cz URL: http://elinks.or.cz
@ -35,6 +35,7 @@ Patch6: elinks-0.11.0-union.patch
Patch7: elinks-0.11.3-macropen.patch Patch7: elinks-0.11.3-macropen.patch
Patch8: elinks-scroll.patch Patch8: elinks-scroll.patch
Patch9: elinks-nss.patch Patch9: elinks-nss.patch
Patch10: elinks-nss-inc.patch
%description %description
Elinks is a text-based Web browser. Elinks does not display any images, Elinks is a text-based Web browser. Elinks does not display any images,
@ -62,8 +63,10 @@ quickly and swiftly displays Web pages.
%patch7 -p1 %patch7 -p1
#upstream fix for out of screen dialogs #upstream fix for out of screen dialogs
%patch8 -p1 %patch8 -p1
# Port elinks to use NSS library for cryptography (#346861) # Port elinks to use NSS library for cryptography (#346861) - accepted upstream
%patch9 -p1 %patch9 -p1
# Port elinks to use NSS library for cryptography (#346861) - incremental patch
%patch10 -p1
%build %build
./autogen.sh ./autogen.sh
@ -119,6 +122,10 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/* %{_mandir}/man5/*
%changelog %changelog
* Tue Apr 28 2009 Kamil Dudka <kdudka@redhat.com> 0.12-0.13.pre3
- use appropriate BuildRequires for nss_compat_ossl (#495532)
- support for trusted CA certificates loading from file in PEM format
* Fri Apr 03 2009 Ondrej Vasik <ovasik@redhat.com> 0.12.0.12.pre3 * Fri Apr 03 2009 Ondrej Vasik <ovasik@redhat.com> 0.12.0.12.pre3
- use word Elinks instead of Links in package description - use word Elinks instead of Links in package description