phorge-arcanist/resources/ssl/README

This document describes how to set Certificate Authority information.
Usually, you need to do this only if you're using a self-signed certificate.


OSX after Yosemite
==================

If you're using a version of Mac OSX after Yosemite, you can not configure
certificates from the command line. All libphutil and arcanist options
related to CA configuration are ignored.

Instead, you need to add them to the system keychain. The easiest way to do this
is to visit the site in Safari and choose to permanently accept the certificate.

You can also use `security add-trusted-cert` from the command line.


All Other Systems
=================

If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the
option was introduced), libphutil uses the "default.pem" certificate authority
bundle when making HTTPS requests with cURL. This bundle is extracted from
Mozilla's certificates by cURL:

  http://curl.haxx.se/docs/caextract.html

If you want to use a different CA bundle (for example, because you use
self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,
or create a file (or symlink) in this directory named "custom.pem".

If "custom.pem" is present, that file will be used instead of "default.pem".

If you receive errors using your "custom.pem" file, you can test it directly
with `curl` by running a command like this:

  curl -v --cacert path/to/your/custom.pem https://phabricator.example.com/

Replace "path/to/your/custom.pem" with the path to your "custom.pem" file,
and replace "https://phabricator.example.com" with the real URL of your
Phabricator install.

The initial lines of output from `curl` should give you information about the
SSL handshake and certificate verification, which may be helpful in resolving
the issue.
[Wilds] Remove libphutil Summary: Ref T13098. Historically, Phabricator was split into three parts: - Phabricator, the server. - Arcanist, the client. - libphutil, libraries shared between the client and server. One imagined use case for this was that `libphutil` might become a general-purpose library that other projects would use. However, this didn't really happen, and it seems unlikely to at this point: Phabricator has become a relatively more sophisticated application platform; we didn't end up seeing or encouraging much custom development; what custom development there is basically embraces all of Phabricator since there are huge advantages to doing so; and a general "open source is awful" sort of factor here in the sense that open source users often don't have goals well aligned to our goals. Turning "arc" into a client platform and building package management solidify us in this direction of being a standalone platform, not a standalone utility library. Phabricator also depends on `arcanist/`. If it didn't, there would be a small advantage to saying "shared code + client for client, shared code + server for server", but there's no such distinction and it seems unlikely that one will ever exist. Even if it did, I think this has little value. Nowadays, I think this separation has no advantages for us and one significant cost: it makes installing `arcanist` more difficult for end-users. This will need some more finesssing (Phabricator will need some changes for compatibility, and a lot of stuff that still says "libphutil" or "phutil" may eventually want to say "arcanist"), and some stuff (like xhpast) is probably straight-up broken right now and needs some tweaking, but I don't anticipate any major issues here. There was never anything particularly magical about libphutil as a separate standalone library. Test Plan: Ran `arc`, it gets about as far as it did before. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13098 Differential Revision: https://secure.phabricator.com/D19688 2018-09-18 19:37:45 +02:00			`This document describes how to set Certificate Authority information.`
			`Usually, you need to do this only if you're using a self-signed certificate.`


			`OSX after Yosemite`
			`==================`

			`If you're using a version of Mac OSX after Yosemite, you can not configure`
			`certificates from the command line. All libphutil and arcanist options`
			`related to CA configuration are ignored.`

			`Instead, you need to add them to the system keychain. The easiest way to do this`
			`is to visit the site in Safari and choose to permanently accept the certificate.`

			You can also use `security add-trusted-cert` from the command line.


			`All Other Systems`
			`=================`

			`If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the`
			`option was introduced), libphutil uses the "default.pem" certificate authority`
			`bundle when making HTTPS requests with cURL. This bundle is extracted from`
			`Mozilla's certificates by cURL:`

			`http://curl.haxx.se/docs/caextract.html`

			`If you want to use a different CA bundle (for example, because you use`
			`self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,`
			`or create a file (or symlink) in this directory named "custom.pem".`

			`If "custom.pem" is present, that file will be used instead of "default.pem".`

			`If you receive errors using your "custom.pem" file, you can test it directly`
			with `curl` by running a command like this:

			`curl -v --cacert path/to/your/custom.pem https://phabricator.example.com/`

			`Replace "path/to/your/custom.pem" with the path to your "custom.pem" file,`
			`and replace "https://phabricator.example.com" with the real URL of your`
			`Phabricator install.`

			The initial lines of output from `curl` should give you information about the
			`SSL handshake and certificate verification, which may be helpful in resolving`
			`the issue.`