mirror of
https://we.phorge.it/source/arcanist.git
synced 2024-12-22 13:30:54 +01:00
13d3a3c3b1
Summary: This default CA bundle file hasn't been updated since 2016. Update it to the current cURL extraction. I believe this is notably impactful because of a new "Let's Encrypt" certificate, but didn't hunt down the particulars. Test Plan: Confirmed the hash matches the published hash: ``` $ openssl dgst -sha256 resources/ssl/default.pem SHA256(resources/ssl/default.pem)= ae31ecb3c6e9ff3154cb7a55f017090448f88482f0e94ac927c0c67a1f33b9cf ``` This assurance is fairly meaningless since both the hash and file are published on `curl.se`. It didn't get corrupted by stellar radiation before it made it into Git, at least? Differential Revision: https://secure.phabricator.com/D21739 |
||
---|---|---|
.. | ||
default.pem | ||
README |
This document describes how to set Certificate Authority information. Usually, you need to do this only if you're using a self-signed certificate. OSX after Yosemite ================== If you're using a version of Mac OSX after Yosemite, you can not configure certificates from the command line. All libphutil and arcanist options related to CA configuration are ignored. Instead, you need to add them to the system keychain. The easiest way to do this is to visit the site in Safari and choose to permanently accept the certificate. You can also use `security add-trusted-cert` from the command line. All Other Systems ================= If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the option was introduced), libphutil uses the "default.pem" certificate authority bundle when making HTTPS requests with cURL. This bundle is extracted from Mozilla's certificates by cURL: http://curl.haxx.se/docs/caextract.html If you want to use a different CA bundle (for example, because you use self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer, or create a file (or symlink) in this directory named "custom.pem". If "custom.pem" is present, that file will be used instead of "default.pem". If you receive errors using your "custom.pem" file, you can test it directly with `curl` by running a command like this: curl -v --cacert path/to/your/custom.pem https://phabricator.example.com/ Replace "path/to/your/custom.pem" with the path to your "custom.pem" file, and replace "https://phabricator.example.com" with the real URL of your Phabricator install. The initial lines of output from `curl` should give you information about the SSL handshake and certificate verification, which may be helpful in resolving the issue.