sqlite.org website is now HTTPS-only

classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

sqlite.org website is now HTTPS-only

Richard Hipp-3
As an experiment, I have reconfigured the sqlite.org website to
redirect all HTTP requests over to HTTPS.

Let me know if this causes anybody any unnecessary grief.  It is easy
enough to undo the setting.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Stephen Chrzanowski
I've got a script that runs daily and scrapes the download page and grabs
everything new.  The last run was this morning at midnight eastern (-4UTC)
and it successfully grabbed the list of files that could be downloaded,
however, when I run it now, it doesn't seem to want to see anything.  After
making the script a bit more verbal, wget is reporting:

stephen@vmLamp:~$ wget -O - https://sqlite.org/download.html
--15:30:59--  https://sqlite.org/download.html
           => `-'
Resolving sqlite.org... 45.33.6.223
Connecting to sqlite.org|45.33.6.223|:443... connected.
ERROR: Certificate verification error for sqlite.org: unable to get local
issuer certificate
To connect to sqlite.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

In my browser, however, the cert does show up as green and verified by Lets
Encrypt.  I'll investigate why wget isn't validating Lets Encrypt (I use it
at home, so I'll test against my stuff first), then report back.  For now,
I'll just add the no cert check, and I should be fine.


On Thu, Jun 7, 2018 at 2:31 PM, Richard Hipp <[hidden email]> wrote:

> As an experiment, I have reconfigured the sqlite.org website to
> redirect all HTTP requests over to HTTPS.
>
> Let me know if this causes anybody any unnecessary grief.  It is easy
> enough to undo the setting.
>
> --
> D. Richard Hipp
> [hidden email]
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Simon Slavin-3
On 7 Jun 2018, at 8:35pm, Stephen Chrzanowski <[hidden email]> wrote:

> stephen@vmLamp:~$ wget -O - https://sqlite.org/download.html
> --15:30:59--  https://sqlite.org/download.html
>           => `-'
> Resolving sqlite.org... 45.33.6.223
> Connecting to sqlite.org|45.33.6.223|:443... connected.
> ERROR: Certificate verification error for sqlite.org: unable to get local
> issuer certificate
> To connect to sqlite.org insecurely, use `--no-check-certificate'.
> Unable to establish SSL connection.
>
> In my browser, however, the cert does show up as green

Your copy of wget is using a different set of Certification Authority certificates to those used by your browser.  Since your browser was updated more recently than your OS (purely a guess on my part) I'm guessing that the certificates used by "wget" are slightly out of date.

Simon.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Bob Friesenhahn
On Thu, 7 Jun 2018, Simon Slavin wrote:
>
> Your copy of wget is using a different set of Certification
> Authority certificates to those used by your browser.  Since your
> browser was updated more recently than your OS (purely a guess on my
> part) I'm guessing that the certificates used by "wget" are slightly
> out of date.

The certificates used by the browser are usually provided by the
browser vendor and so they are not necessarily provided by the OS
vendor.  If 'wget' does not know about 'Lets Encrypt' then merely
waiting is unlikely to solve the problem.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Stephen Chrzanowski
In reply to this post by Simon Slavin-3
Probably, yes.  Its running Debian Lenny.  I'm trying to locate a resource
right now to see if I can get the appropriate files, and how to keep them
updated.

On Thu, Jun 7, 2018 at 3:43 PM, Simon Slavin <[hidden email]> wrote:

> On 7 Jun 2018, at 8:35pm, Stephen Chrzanowski <[hidden email]> wrote:
>
> > stephen@vmLamp:~$ wget -O - https://sqlite.org/download.html
> > --15:30:59--  https://sqlite.org/download.html
> >           => `-'
> > Resolving sqlite.org... 45.33.6.223
> > Connecting to sqlite.org|45.33.6.223|:443... connected.
> > ERROR: Certificate verification error for sqlite.org: unable to get
> local
> > issuer certificate
> > To connect to sqlite.org insecurely, use `--no-check-certificate'.
> > Unable to establish SSL connection.
> >
> > In my browser, however, the cert does show up as green
>
> Your copy of wget is using a different set of Certification Authority
> certificates to those used by your browser.  Since your browser was updated
> more recently than your OS (purely a guess on my part) I'm guessing that
> the certificates used by "wget" are slightly out of date.
>
> Simon.
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Warren Young
On Jun 7, 2018, at 1:52 PM, Stephen Chrzanowski <[hidden email]> wrote:
>
> Its running Debian Lenny.

That OS is over 9 years old now.

I’ve been known to run Linux boxes longer than that, but one of the several tradeoffs for that stability is that you must accept incompatibilities like this.

Besides the CA database issue brought up above, there is another common cause for wget/curl complaints with HTTPS connections: the TLS/SSL and/or crypto library in use on the system is old enough that it doesn’t support any of the encryption protocols offered by the web server.  Web servers are often configured specifically to refuse old and known-broken protocols, with the attendant hit to backwards compatibility.

Do you really need something in the daily scrape that you wouldn’t get from a Fossil clone?  There are a few things on sqlite.org that aren’t in the Fossil repo, but perhaps not as many as you’d guess.

I ask because if you build a Fossil binary by hand, you can link it to an up-to-date version of OpenSSL, which may solve the certificate problem.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Stephen Chrzanowski
On Thu, Jun 7, 2018 at 4:07 PM, Warren Young <[hidden email]> wrote:

>
> That OS is over 9 years old now.
>

Trust me, its showing its age, and I'd really like to get rid of it, but
there's a bunch of things I really don't want to migrate as some of what is
doing relies on functionality in the underlying languages that no longer
exists in newer versions of that language.  When I get a long vacation and
I'm bored of gaming, I might dig into replacing the entire VM, but until
then, work-arounds it is.  (It doesn't make outbound calls much.  Its
mostly used for DHCP services now, and keeping tabs on my kids screen time
on their computers.)


> Do you really need something in the daily scrape that you wouldn’t get
> from a Fossil clone?  There are a few things on sqlite.org that aren’t in
> the Fossil repo, but perhaps not as many as you’d guess.
>

To that, I can honestly say, I don't know.  The thing I like about the
daily scrapes is that I can grab the zip files provided in whatever state
they were uploaded as, and I archive them so 'just in case' I can go back
to a particular DLL and see whats going on.  My intention was to have the
archives come down, have a machine take note, extract, compile, and check
the DLL into my code repo.  I'd then have my source code link to the
specific version of the DLL needed.  I got as far as the 3-line bash script
to download the files. heh.  I think I might go back to that tonight
instead of YouTube......

If Fossil can get me an amalgamation to a certain version, point me where
and I'll investigate.


>
> I ask because if you build a Fossil binary by hand, you can link it to an
> up-to-date version of OpenSSL, which may solve the certificate problem.
>

I remember downloading and running Fossil and playing in the browser, but I
didn't do much with it.  Also relying on going back like 3 or 4 years.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Keith Medcalf
In reply to this post by Stephen Chrzanowski

Just tell wget --no-check-certificate in the command line.  wget does not use a certificate repository and you need to obtain and specify the expected root manually.  It will be no less secure than it was before (when using HTTP) except that now it will use Transport encryption.  Certificate checking is useless for proving identity anyway unless you have obtained the root and validated the chain yourself and not rely on crud from untrustworthy third-parties.

THat is, change the comand line to

wget -O - --no-check-certificate https://sqlite.org/download.html

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


>-----Original Message-----
>From: sqlite-users [mailto:sqlite-users-
>[hidden email]] On Behalf Of Stephen Chrzanowski
>Sent: Thursday, 7 June, 2018 13:35
>To: SQLite mailing list
>Subject: Re: [sqlite] sqlite.org website is now HTTPS-only
>
>I've got a script that runs daily and scrapes the download page and
>grabs
>everything new.  The last run was this morning at midnight eastern (-
>4UTC)
>and it successfully grabbed the list of files that could be
>downloaded,
>however, when I run it now, it doesn't seem to want to see anything.
>After
>making the script a bit more verbal, wget is reporting:
>
>stephen@vmLamp:~$ wget -O - https://sqlite.org/download.html
>--15:30:59--  https://sqlite.org/download.html
>           => `-'
>Resolving sqlite.org... 45.33.6.223
>Connecting to sqlite.org|45.33.6.223|:443... connected.
>ERROR: Certificate verification error for sqlite.org: unable to get
>local
>issuer certificate
>To connect to sqlite.org insecurely, use `--no-check-certificate'.
>Unable to establish SSL connection.
>
>In my browser, however, the cert does show up as green and verified
>by Lets
>Encrypt.  I'll investigate why wget isn't validating Lets Encrypt (I
>use it
>at home, so I'll test against my stuff first), then report back.  For
>now,
>I'll just add the no cert check, and I should be fine.
>
>
>On Thu, Jun 7, 2018 at 2:31 PM, Richard Hipp <[hidden email]> wrote:
>
>> As an experiment, I have reconfigured the sqlite.org website to
>> redirect all HTTP requests over to HTTPS.
>>
>> Let me know if this causes anybody any unnecessary grief.  It is
>easy
>> enough to undo the setting.
>>
>> --
>> D. Richard Hipp
>> [hidden email]
>> _______________________________________________
>> sqlite-users mailing list
>> [hidden email]
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-
>users
>>
>_______________________________________________
>sqlite-users mailing list
>[hidden email]
>http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users



_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

J. King-3
In reply to this post by Stephen Chrzanowski
On June 7, 2018 3:52:04 PM EDT, Stephen Chrzanowski <[hidden email]> wrote:

>Probably, yes.  Its running Debian Lenny.  I'm trying to locate a
>resource
>right now to see if I can get the appropriate files, and how to keep
>them
>updated.
>
>On Thu, Jun 7, 2018 at 3:43 PM, Simon Slavin <[hidden email]>
>wrote:
>
>> On 7 Jun 2018, at 8:35pm, Stephen Chrzanowski <[hidden email]>
>wrote:
>>
>> > stephen@vmLamp:~$ wget -O - https://sqlite.org/download.html
>> > --15:30:59--  https://sqlite.org/download.html
>> >           => `-'
>> > Resolving sqlite.org... 45.33.6.223
>> > Connecting to sqlite.org|45.33.6.223|:443... connected.
>> > ERROR: Certificate verification error for sqlite.org: unable to get
>> local
>> > issuer certificate
>> > To connect to sqlite.org insecurely, use `--no-check-certificate'.
>> > Unable to establish SSL connection.
>> >
>> > In my browser, however, the cert does show up as green
>>
>> Your copy of wget is using a different set of Certification Authority
>> certificates to those used by your browser.  Since your browser was
>updated
>> more recently than your OS (purely a guess on my part) I'm guessing
>that
>> the certificates used by "wget" are slightly out of date.
>>
>> Simon.
>> _______________________________________________
>> sqlite-users mailing list
>> [hidden email]
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>_______________________________________________
>sqlite-users mailing list
>[hidden email]
>http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

For what it's worth, it looks like Jessie's ca-certificates package includes the ISRG's root CA certificate needed to validate Let's Encrypt certs. Presumably with the appropriate level of access you could install it manually.
--
J. King
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Bob Friesenhahn
In reply to this post by Warren Young
On Thu, 7 Jun 2018, Warren Young wrote:
>
> I ask because if you build a Fossil binary by hand, you can link it
> to an up-to-date version of OpenSSL, which may solve the certificate
> problem.

OpenSSL does not provide certificates.

The missing certificate could be copied from a newer Let's
Encrypt-friendly machine or from the Let's Encrypt site.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Chris Brody
In reply to this post by Richard Hipp-3
http://sqlite.org and https://sqlite.org seem to redirect OK to
https://sqlite.org/index.html

http://www.sqlite.org and https://www.sqlite.org seem to redirect OK
to https://www.sqlite.org/index.html

fossil clone https://www.sqlite.org/src sqlite.fossil works for me on
my mac (recent version installed with help from Homebrew)

A couple things you may want to look into fixing before Chrome starts
to flag non-HTTPS sites as insecure:

http://www.sqlite.org/cgi/src redirects to
http://www.sqlite.org/cgi/src/doc/trunk/README.md (no HTTPS)

Instructions in https://sqlite.org/getthecode.html#clone still give
the fossil clone command with non-HTTPS URL (page at
www.sqlite.org/cgi/src/doc/trunk/README.md does give the fossil clone
with HTTPS URL)

And a couple bonus items:

I think it would be better to have most www.sqlite.org links redirect
to "naked" links within https://sqlite.org (no www subdomain). More
concise, less risk that search bots will see some form of duplicate
content.

Consider redirecting https://sqlite.org and http[s?]://www.sqlite.org
to https://sqlite.org with no explicit index.html page, and do not
redirect https://sqlite.org to explicit index.html page.

I sincerely hope you will not undo the HTTPS work so far. Maybe
redirect people to one or more mirrors in case of troubles with HTTPS?

Thanks for your attention to this one!

On Thu, Jun 7, 2018 at 2:31 PM Richard Hipp <[hidden email]> wrote:

>
> As an experiment, I have reconfigured the sqlite.org website to
> redirect all HTTP requests over to HTTPS.
>
> Let me know if this causes anybody any unnecessary grief.  It is easy
> enough to undo the setting.
>
> --
> D. Richard Hipp
> [hidden email]
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Warren Young
In reply to this post by Bob Friesenhahn
On Jun 7, 2018, at 3:08 PM, Bob Friesenhahn <[hidden email]> wrote:
>
> On Thu, 7 Jun 2018, Warren Young wrote:
>>
>> I ask because if you build a Fossil binary by hand, you can link it to an up-to-date version of OpenSSL, which may solve the certificate problem.
>
> OpenSSL does not provide certificates.

Yes, I know that, but it does solve the other likely problem when using a too-old system with HTTPS, being an inability for the client and server to agree on a mutually-supported encryption suite.  With all of the security vulnerabilities found in encryption algorithms, hashing algorithms, and libraries over the past 9 years, there’s a fair chance Lenny’s OpenSSL won’t be able to talk to the TLS implementation on sqlite.org even with the CA issue solved.

Fossil’s build system has a specific option for linking to a non-system version of OpenSSL built from source, which solves that problem.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Jungle Boogie
In reply to this post by Keith Medcalf
On 1:38PM, Thu, Jun 7, 2018 Keith Medcalf <[hidden email]> wrote:
>
>
> Just tell wget --no-check-certificate in the command line.  wget does not
use a certificate repository and you need to obtain and specify the
expected root manually.  It will be no less secure than it was before (when
using HTTP) except that now it will use Transport encryption.  Certificate
checking is useless for proving identity anyway unless you have obtained
the root and validated the chain yourself and not rely on crud from
untrustworthy third-parties.
>
> THat is, change the comand line to
>
> wget -O - --no-check-certificate https://sqlite.org/download.html
>

Good, quick solution.

If you also do this, check out downloading the download.zip or targz file,
which is generated by fossil. You'll get the latest of whichever branch you
specify.

> ---
> The fact that there's a Highway to Hell but only a Stairway to Heaven
says a lot about anticipated traffic volume.
>
>
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Bob Friesenhahn
In reply to this post by Warren Young
On Thu, 7 Jun 2018, Warren Young wrote:
>
> Yes, I know that, but it does solve the other likely problem when
> using a too-old system with HTTPS, being an inability for the client
> and server to agree on a mutually-supported encryption suite.  With
> all of the security vulnerabilities found in encryption algorithms,
> hashing algorithms, and libraries over the past 9 years, there’s a
> fair chance Lenny’s OpenSSL won’t be able to talk to the TLS
> implementation on sqlite.org even with the CA issue solved.

In this case, we already heard that Lenny’s wget is able to access the
web site if server certificate checks are disabled.

It is much easier to add to the certificates used by the system given
that wget already works.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Scott Doctor
In reply to this post by Warren Young
Just out of curiosity, is the sqlite website using nginx or
apache as the server?


-------------------------
Scott Doctor
[hidden email]
-------------------------


_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Warren Young
In reply to this post by Stephen Chrzanowski
On Jun 7, 2018, at 2:32 PM, Stephen Chrzanowski <[hidden email]> wrote:

>
> On Thu, Jun 7, 2018 at 4:07 PM, Warren Young <[hidden email]> wrote:
>
>> Do you really need something in the daily scrape that you wouldn’t get
>> from a Fossil clone?
>
> To that, I can honestly say, I don't know.  The thing I like about the
> daily scrapes is that I can grab the zip files provided in whatever state
> they were uploaded as, and I archive them so 'just in case' I can go back
> to a particular DLL and see whats going on.

If you’re talking about the contents of

    https://sqlite.org/download.html

then I believe that is not stored in Fossil, as is good version control hygiene, those all being artifacts derived from source files that *are* checked into the repository.  If the DLLs and such were checked into the Fossil repository, you’d expect to find them here:

    https://www.sqlite.org/cgi/src/uvlist

But that feature of Fossil is apparently not being used by the SQLite project at the moment.

Since those are all generated from files that are in Fossil, however, that means you can also build them in the same way:

    fossil clone https://sqlite.org/cgi/src ~/museum/sqlite.fossil
    mkdir ~/sqlite-src
    cd ~/sqlite-src
    fossil open ~/museum/sqlite.fossil version-3.22.0
    ./configure
    make sqlite3.c
    x86_64-w64-mingw32-gcc -shared sqlite3.c -o sqlite3.dll

Notes:

0. You will need a recent version of Fossil to clone SQLite.  It appears Fossil was never packaged for Lenny, nor would it work if it did due to a cryptographic hashing change made on the repository last year.  If the official binaries won’t run on Lenny, it’s easy enough to build Fossil from source:

    https://fossil-scm.org/index.html/uv/download.html

Or:

    wget --no-check-certificate https://fossil-scm.org/index.html/uv/fossil-src-2.6.tar.gz
    tar xvf… && ./configure && make && sudo make install

1. ~/museum is where I choose to keep my fossils.  Fossil doesn’t care where they are, nor must they be grouped in any particular way.  Use the organization scheme that makes sense to you if you don’t like mine.

2. Fossil also doesn’t care that the repository clones end in *.fossil, with one exception you’re not likely to run into unless you get much deeper into Fossil.  Still, it’s a good convention to follow.

3. After doing the initial repository clone, you don’t need to re-clone it each time you want a new version.  You just need to say “fossil update” within a checkout directory whenever you want to fetch upstream changes.  Some operations will automatically do an update — technically called an autosync — so you might not have to do it manually.

4. You only need to “open” the repository into a different checkout directory each time if that’s helpful to you, as it can be whenever it’s useful to have multiple branches open at once.  If you want just one checkout directory, after the initial “open” you can switch to saying “fossil update version-xxxx” in place of the “open” command.

5. There are many other things you can give in place of the version tag:

    https://www.sqlite.org/cgi/src/brlist
    https://www.sqlite.org/cgi/src/taglist
    https://www.fossil-scm.org/xfer/doc/trunk/www/checkin_names.wiki

You might, for example, find it useful to fetch a version as of a particular date:

    fossil update 2017-07-04

Or, get the latest release, without having to know in advance what the version number is:

    fossil update release

6. The final three steps in the build sequence above assume you’re doing this on the Debian box with the MinGW 64-bit cross-compiler:

    http://archive.debian.org/debian/pool/main/m/mingw-w64/

If you need a 32-bit binary, I believe you just need to switch the compiler command to i686-w64-mingw32-gcc.  (That’s a guess.  I’ve never had to use the MinGW cross-compiler on a Linux box.  I rarely enough use it on Windows.)

If you do this on a Windows box instead, the build instructions differ:

    https://sqlite.org/howtocompile.html#building_a_windows_dll
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Dennis Clarke
In reply to this post by Bob Friesenhahn
On 6/7/18 5:34 PM, Bob Friesenhahn wrote:

> On Thu, 7 Jun 2018, Warren Young wrote:
>>
>> Yes, I know that, but it does solve the other likely problem when
>> using a too-old system with HTTPS, being an inability for the client
>> and server to agree on a mutually-supported encryption suite.  With
>> all of the security vulnerabilities found in encryption algorithms,
>> hashing algorithms, and libraries over the past 9 years, there’s a
>> fair chance Lenny’s OpenSSL won’t be able to talk to the TLS
>> implementation on sqlite.org even with the CA issue solved.
>
> In this case, we already heard that Lenny’s wget is able to access the
> web site if server certificate checks are disabled.
>
> It is much easier to add to the certificates used by the system given
> that wget already works.
>
> Bob

Merely my nickle's worth of thoughts here but I think you can go to a
Debian 9 system and tarball the contents of /etc/ssl/certs and then drop
them into any system. There should be a ssl.cnf file kicking around as
well if that helps. Also wget can be given --ca-directory=/etc/ssl/certs
as an option if necessary.  Should be if wget is linked with openssl
correctly.

Dennis
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Richard Hipp-3
In reply to this post by Scott Doctor
On 6/7/18, Scott Doctor <[hidden email]> wrote:
> Just out of curiosity, is the sqlite website using nginx or
> apache as the server?

None of the above.

The web server is one that I wrote myself, long again, before SQLite,
called althttpd.c.  You can find the source code here:

   https://www.sqlite.org/docsrc/file/misc/althttpd.c
   https://www.sqlite.org/docsrc/file/misc/althttpd.md

Earlier today, I enhanced althttpd.c with the ability to cause
redirects from http: to https:.  I enabled that capability on
www.sqlite.org as a test.  That is the main point of this exercise.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

Dennis Clarke
On 6/7/18 9:59 PM, Richard Hipp wrote:
> On 6/7/18, Scott Doctor <[hidden email]> wrote:
>> Just out of curiosity, is the sqlite website using nginx or
>> apache as the server?
>
> None of the above.
>
> The web server is one that I wrote myself

You're level of cool just jumped to UNIX silverback level :-)

Dennis

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: sqlite.org website is now HTTPS-only

George
In reply to this post by Richard Hipp-3
On Thu, 7 Jun 2018 14:31:22 -0400
Richard Hipp <[hidden email]> wrote:

> As an experiment, I have reconfigured the sqlite.org website to
> redirect all HTTP requests over to HTTPS.
>
> Let me know if this causes anybody any unnecessary grief.  It is easy
> enough to undo the setting.
>

Why can't we have both? I mean the software is in the public domain
there is nothing to hide so what's the point of encrypting the site?

Cheers and thank for you generosity and work.
Best regards,
George
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
123