@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Support "ssl.chain" in Aphlict configuration
Summary: Fixes T10806. Although browsers don't seem to care about this, it's more correct to support it, and the new test console uses normal `cURL` and does care.
Test Plan:
- Hit the error case for providing a chain but no key/cert.
- Used `openssl s_client -connect localhost:22280` to connect to local Aphlict servers.
- With SSL but no chain, saw `openssl` fail to verify the remote.
- With SSL and a chain, saw `openssl` verify the identify of the remote.
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T10806
Differential Revision: https://secure.phabricator.com/D15709
+33
-5
+4
-2
conf/aphlict/aphlict.default.json
+4
-2
conf/aphlict/aphlict.default.json
···
5
5
"port": 22280,
6
6
"listen": "0.0.0.0",
7
7
"ssl.key": null,
8
-
"ssl.cert": null
8
+
"ssl.cert": null,
9
+
"ssl.chain": null
9
10
},
10
11
{
11
12
"type": "admin",
12
13
"port": 22281,
13
14
"listen": "127.0.0.1",
14
15
"ssl.key": null,
15
-
"ssl.cert": null
16
+
"ssl.cert": null,
17
+
"ssl.chain": null
16
18
}
17
19
],
18
20
"logs": [
+16
src/applications/aphlict/management/PhabricatorAphlictManagementWorkflow.php
+16
src/applications/aphlict/management/PhabricatorAphlictManagementWorkflow.php
···
99
99
'listen' => 'optional string|null',
100
100
'ssl.key' => 'optional string|null',
101
101
'ssl.cert' => 'optional string|null',
102
+
'ssl.chain' => 'optional string|null',
102
103
));
103
104
104
105
$port = $server['port'];
···
142
143
'(to disable SSL) or specify both (to enable it).',
143
144
$index,
144
145
$port,
146
+
'ssl.key',
147
+
'ssl.cert'));
148
+
}
149
+
150
+
$ssl_chain = idx($server, 'ssl.chain');
151
+
if ($ssl_chain && (!$ssl_key && !$ssl_cert)) {
152
+
throw new PhutilArgumentUsageException(
153
+
pht(
154
+
'A specified server (at index "%s", on port "%s") specifies '.
155
+
'a value for "%s", but no value for "%s" or "%s". Servers '.
156
+
'should only provide an SSL chain if they also provide an SSL '.
157
+
'key and SSL certificate.',
158
+
$index,
159
+
$port,
160
+
'ssl.chain',
145
161
'ssl.key',
146
162
'ssl.cert'));
147
163
}
+4
-2
src/docs/user/configuration/notifications.diviner
+4
-2
src/docs/user/configuration/notifications.diviner
···
85
85
`admin` or `client`. Normally, you should run one of each.
86
86
- `port`: //Required int.// The port this server should listen on.
87
87
- `listen`: //Optional string.// Which interface to bind to. By default,
88
-
the `admin` server is bound to localhost (so only other services on the
88
+
the `admin` server is bound to `127.0.0.1` (so only other services on the
89
89
local machine can connect to it), while the `client` server is bound
90
-
to `0.0.0.0` (so any client can connect.
90
+
to `0.0.0.0` (so any client can connect).
91
91
- `ssl.key`: //Optional string.// If you want to use SSL on this port,
92
92
the path to an SSL key.
93
93
- `ssl.cert`: //Optional string.// If you want to use SSL on this port,
94
94
the path to an SSL certificate.
95
+
- `ssl.chain`: //Optional string.// If you have configured SSL on this
96
+
port, an optional path to a certificate chain file.
95
97
96
98
Each log in the `logs` list should be an object with these keys:
97
99
+9
-1
support/aphlict/server/aphlict_server.js
+9
-1
support/aphlict/server/aphlict_server.js
···
104
104
spec['ssl.cert'] = fs.readFileSync(spec['ssl.cert']);
105
105
}
106
106
107
+
if (spec['ssl.chain']){
108
+
spec['ssl.chain'] = fs.readFileSync(spec['ssl.chain']);
109
+
}
110
+
107
111
servers.push(spec);
108
112
}
109
113
···
132
136
if (server['ssl.key']) {
133
137
var https_config = {
134
138
key: server['ssl.key'],
135
-
cert: server['ssl.cert']
139
+
cert: server['ssl.cert'],
136
140
};
141
+
142
+
if (server['ssl.chain']) {
143
+
https_config.ca = server['ssl.chain'];
144
+
}
137
145
138
146
http_server = https.createServer(https_config);
139
147
} else {