diff --git a/.gitignore b/.gitignore
index 246ed5874..68899ebb8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@ server/camlistored/newui/all.js
server/camlistored/newui/all.js.map
server/camlistored/newui/zembed_all.js.go
server/appengine/source_root/
+config/selfgen_pem*
diff --git a/clients/android/res/values/strings.xml b/clients/android/res/values/strings.xml
index c72007327..b49633dfe 100644
--- a/clients/android/res/values/strings.xml
+++ b/clients/android/res/values/strings.xml
@@ -4,7 +4,7 @@
Camlistore Uploader
Camlistore server
e.g. https://foo.example.com or "example.com:3179"
- Self-signed certificate
+ Self-signed cert fingerprint
The fingerprint of your self-signed certificate. Not needed for commercial certs.
Username
Password
@@ -30,4 +30,4 @@
Browse
Results
-
\ No newline at end of file
+
diff --git a/clients/android/res/xml/preferences.xml b/clients/android/res/xml/preferences.xml
index 87c09004a..1ab18cd77 100644
--- a/clients/android/res/xml/preferences.xml
+++ b/clients/android/res/xml/preferences.xml
@@ -7,11 +7,6 @@
android:persistent="true"
android:summary="@string/settings_host_summary"
android:title="@string/settings_host_title" />
-
+
+
-
\ No newline at end of file
+
diff --git a/clients/android/src/org/camlistore/SettingsActivity.java b/clients/android/src/org/camlistore/SettingsActivity.java
index c4d6cdf9e..bdad65544 100644
--- a/clients/android/src/org/camlistore/SettingsActivity.java
+++ b/clients/android/src/org/camlistore/SettingsActivity.java
@@ -230,7 +230,7 @@ public class SettingsActivity extends PreferenceActivity {
if (value != null && value.length() > 0) {
trustedCertPref.setSummary(value);
} else {
- trustedCertPref.setSummary("");
+ trustedCertPref.setSummary("");
}
}
diff --git a/clients/android/src/org/camlistore/UploadThread.java b/clients/android/src/org/camlistore/UploadThread.java
index a3133b4d7..47e146427 100644
--- a/clients/android/src/org/camlistore/UploadThread.java
+++ b/clients/android/src/org/camlistore/UploadThread.java
@@ -56,7 +56,7 @@ public class UploadThread extends Thread {
public UploadThread(UploadService uploadService, HostPort hp, String trustedCert, String username, String password) {
mService = uploadService;
mHostPort = hp;
- mTrustedCert = trustedCert;
+ mTrustedCert = trustedCert != null ? trustedCert.toLowerCase().trim() : "";
mUsername = username;
mPassword = password;
}
diff --git a/pkg/client/client.go b/pkg/client/client.go
index 6462ad333..b0040791b 100644
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@@ -794,7 +794,7 @@ func (c *Client) DialFunc() func(network, addr string) (net.Conn, error) {
if certs == nil || len(certs) < 1 {
return nil, errors.New("Could not get server's certificate from the TLS connection.")
}
- sig := misc.SHA1Prefix(certs[0].Raw)
+ sig := misc.SHA256Prefix(certs[0].Raw)
for _, v := range trustedCerts {
if v == sig {
return conn, nil
diff --git a/pkg/misc/misc.go b/pkg/misc/misc.go
index b588e1422..785bf9827 100644
--- a/pkg/misc/misc.go
+++ b/pkg/misc/misc.go
@@ -20,14 +20,14 @@ limitations under the License.
package misc
import (
- "crypto/sha1"
+ "crypto/sha256"
"fmt"
)
-// SHA1Prefix computes the SHA-1 digest of data and returns
-// the first ten digits of its lowercase hex string.
-func SHA1Prefix(data []byte) string {
- h := sha1.New()
+// SHA256Prefix computes the SHA-256 digest of data and returns
+// its first twenty lowercase hex digits.
+func SHA256Prefix(data []byte) string {
+ h := sha256.New()
h.Write(data)
- return fmt.Sprintf("%x", h.Sum(nil))[:10]
+ return fmt.Sprintf("%x", h.Sum(nil))[:20]
}
diff --git a/server/camlistored/camlistored.go b/server/camlistored/camlistored.go
index ca5ea4371..4d090afa1 100644
--- a/server/camlistored/camlistored.go
+++ b/server/camlistored/camlistored.go
@@ -176,7 +176,7 @@ func genSelfTLS(listen string) error {
if err != nil {
return fmt.Errorf("Failed to parse certificate: %v", err)
}
- sig := misc.SHA1Prefix(cert.Raw)
+ sig := misc.SHA256Prefix(cert.Raw)
hint := "You must add this certificate's fingerprint to your client's trusted certs list to use it. Like so:\n" +
`"trustedCerts": ["` + sig + `"],`
log.Printf(hint)
@@ -365,8 +365,8 @@ func setupTLS(ws *webserver.Server, config *serverconfig.Config, listen string)
if err != nil {
exitf("Failed to parse certificate: %v", err)
}
- sig := misc.SHA1Prefix(certif.Raw)
- log.Printf("TLS enabled, with certificate fingerprint: %v", sig)
+ sig := misc.SHA256Prefix(certif.Raw)
+ log.Printf("TLS enabled, with SHA-256 certificate fingerprint: %v", sig)
ws.SetTLS(cert, key)
}
diff --git a/website/content/docs/client-config b/website/content/docs/client-config
index bb212d26c..9cc6013fc 100644
--- a/website/content/docs/client-config
+++ b/website/content/docs/client-config
@@ -19,7 +19,7 @@ If the server is not on the same host, it is highly recommended to use TLS or an
identitySecretRing: Optional. If non-empty, it specifies the location of your GPG secret keyring. Defaults to $HOME/.config/camlistore/identity-secring.gpg. See camput init for help on how to generate a new keypair.
-trustedCerts: Optional. The list of TLS server certificates fingerprints (truncated at 10 digits) that the client will trust blindly when using https. It is required when the server is using a self-signed certificate. Example: "trustedCerts": ["ffc7730f4b"].
+trustedCerts: Optional. This is the list of TLS server certificate fingerprints that the client will trust when using HTTPS. It is required when the server is using a self-signed certificate (as Camlistore generates by default) instead of a Root Certificate Authority-signed cert (sometimes known as a "commercial SSL cert"). The format of each item is the first 20 hex digits of the SHA-256 digest of the cert. Example: "trustedCerts": ["ffc7730f4bf00ba4bad0"]
ignoredFiles: Optional. The list of of files that camput should ignore and not try to upload when using -filenodes.