Permalink
Browse files

Item14205: Cert wizard updates.

 - CaPath & CaFile can both be provided.
 - Check RHEL locations first,  RHEL provides the debian location, but
   it isn't fully populated.
 - Don't check filename characters.  Some of the default files already
   fail the check. And on Windows, it reects everything.
  • Loading branch information...
gac410 committed Nov 11, 2016
1 parent d079f79 commit 8e8072443df4a47725f20ad2b1dcafc5bf463525
View
@@ -1890,17 +1890,15 @@ $Foswiki::cfg{SMTP}{SENDERHOST} = '';
# This verifies the identity of the server to which mail is sent.
$Foswiki::cfg{Email}{SSLVerifyServer} = $FALSE;
-# **PATH EXPERT LABEL="Certificate Authorities Filename" \
+# **PATH LABEL="Certificate Authorities Filename" \
# FEEDBACK="icon='ui-icon-shuffle';label='Guess certificate locations'; wizard='SSLCertificates'; method='guess_locations'"\
# DISPLAY_IF="{EnableEmail} && /^Net::SMTP/.test({Email}{MailMethod}) && {Email}{SSLVerifyServer}"**
# Specify the file used to verify the server certificate trust chain.
# This is the list of root Certificate authorities that you trust to issue
# certificates. You do not need to include intermediate CAs in this file.
-# If you do not specify this or {Email}{SSLCaPath}, system defaults will
-# be used.
$Foswiki::cfg{Email}{SSLCaFile} = '';
-# **PATH LABEL="Certificate Authorities Directory" EXPERT \
+# **PATH LABEL="Certificate Authorities Directory" \
# FEEDBACK="icon='ui-icon-shuffle';label='Guess certificate locations'; wizard='SSLCertificates'; method='guess_locations'"\
# FEEDBACK='label="Validate Contents"; wizard="SSLCertificates"; method="validate";\
# title="Examines every file in the directory and verifies \
@@ -1909,7 +1907,6 @@ $Foswiki::cfg{Email}{SSLCaFile} = '';
# Specify the directory used to verify the server certificate trust chain.
# This is the list of root Certificate authorities that you trust to issue
# certificates. You do not need to include intermediate CAs in this directory.
-# If you do not specify this or {Email}{SSLCaFile}, system defaults will be used.
# Refer to the openssl documentation for the format of this directory.
# Note that it can also contain Certificate Revocation Lists.
$Foswiki::cfg{Email}{SSLCaPath} = '';
@@ -17,11 +17,6 @@ sub check_current_value {
my $file = $this->checkExpandedValue($reporter);
if ($file) {
- unless ( $file =~ m,^([\w_./-]+)$, ) {
- $reporter->ERROR("Invalid characters in $file");
- return;
- }
- $file = $1;
if ( -r $file ) {
$reporter->NOTE( "File was last modified "
@@ -98,7 +93,7 @@ __END__
Foswiki - The Free and Open Source Wiki, http://foswiki.org/
-Copyright (C) 2008-2010 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2016 Foswiki Contributors. Foswiki Contributors
are listed in the AUTHORS file in the root of this distribution.
NOTE: Please extend that file, not this notice.
@@ -52,7 +52,7 @@ sub check_current_value {
__END__
Foswiki - The Free and Open Source Wiki, http://foswiki.org/
-Copyright (C) 2008-2010 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2016 Foswiki Contributors. Foswiki Contributors
are listed in the AUTHORS file in the root of this distribution.
NOTE: Please extend that file, not this notice.
@@ -58,9 +58,6 @@ sub check_current_value {
my $file = $value;
if ($file) {
- return $reporter->ERROR("Invalid characters in $file")
- unless $file =~ m,^([\w_./]+)$,;
- $file = $1;
if ( -r $file ) {
$reporter->NOTE( "File was last modified "
@@ -29,17 +29,20 @@ sub guess_locations {
my ( $this, $reporter ) = @_;
my @CERT_FILES = (
- "/etc/ssl/certs/ca-certificates.crt", #Debian/Ubuntu/Gentoo etc.
- "/etc/pki/tls/certs/ca-bundle.crt", #Fedora/RHEL
- "/etc/ssl/ca-bundle.pem", #OpenSUSE
- "/etc/pki/tls/cacert.pem", #OpenELEC
+ "/etc/pki/tls/certs/ca-bundle.crt", #Fedora/RHEL
+ "/etc/ssl/certs/ca-certificates.crt", #Debian/Ubuntu/Gentoo etc.
+ "/var/lib/ca-certificates/ca-bundle.pem", #OpenSuSE
+ "/etc/ssl/ca-bundle.pem", #OpenSuSE
+ "/etc/pki/tls/cacert.pem", #OpenELEC
#"/system/etc/security/cacerts", #Android
);
my @CERT_DIRS = (
- "/etc/ssl/certs", #Debian/Ubuntu/Gentoo etc.
- "/var/ssl/certs", #AIX
- "/usr/local/ssl/certs", #Openssl tarball default
+ "/etc/pki/tls/certs", #Fedora/RHEL
+ "/etc/ssl/certs", #Debian/Ubuntu/Gentoo etc.
+ "/var/ssl/certs", #AIX
+ "/var/lib/ca-certificates", # OpenSuSE
+ "/usr/local/ssl/certs", #Openssl tarball default
);
my ( $file, $path );
@@ -85,7 +88,9 @@ sub guess_locations {
}
}
- return undef if ($guessed);
+# SMELL: I've seen some errors that suggest that only File or Path should be specified
+# but IO::Socket::SSL docs clearly state both are acceptable.
+#return undef if ($guessed);
# First see if the linux default path work
foreach $path (@CERT_DIRS) {
@@ -113,7 +118,7 @@ sub _setLocations {
$Foswiki::cfg{Email}{SSLCaFile} = $_[1];
$_[0]->CHANGED('{Email}{SSLCaFile}');
}
- elsif ( $_[2] ) {
+ if ( $_[2] ) {
$Foswiki::cfg{Email}{SSLCaPath} = $_[2];
$_[0]->CHANGED('{Email}{SSLCaPath}');
}

0 comments on commit 8e80724

Please sign in to comment.