The attached patch makes the ssl auth provider prompt when the
config either does not have the 'ssl-ignore-unknown-ca' option
set or it is set to anything other than 'true'.
> svn info
Url: https://svn.collab.net/repos/svn/trunk
Revision: 5483
> svn --version
svn, version 0.20.1 (dev build)
compiled Mar 27 2003, 12:09:42
Steps to reproduce.
1) Edit the servers config so the option is not set.
> vi ~/.subversion/servers
# ssl-ignore-unknown-ca = true
> svn up
subversion/libsvn_ra_dav/util.c:396: (apr_err=175002)
svn: RA layer request failed
svn: REPORT request failed on '/repos/svn/trunk'
subversion/libsvn_ra_dav/util.c:81: (apr_err=175002)
svn: REPORT of '/repos/svn/trunk': Certificate verification failed
This gives an error when it should be prompting.
2) Edit the servers config so the option is set to 'true'.
> vi ~/.subversion/servers
ssl-ignore-unknown-ca = true
> svn up
At revision 5483.
Updates as expected.
3) Edit the servers config so the option is set to 'false'.
> vi ~/.subversion/servers
ssl-ignore-unknown-ca = false
> svn up
At revision 5483.
This updates when it should be prompting.
After applying the patch I get:
1)
> vi ~/.subversion/servers
# ssl-ignore-unknown-ca = true
> svn up
Error validating server certificate: Unknown certificate issuer.
Accept? (y/N): y
At revision 5483.
2)
> vi ~/.subversion/servers
ssl-ignore-unknown-ca = true
> svn up
At revision 5483.
3)
> vi ~/.subversion/servers
ssl-ignore-unknown-ca = false
> svn up
Error validating server certificate: Unknown certificate issuer.
Accept? (y/N): y
At revision 5483.
4) Using the non-interactive option, there is no prompt.
> svn up --non-interactive
subversion/libsvn_ra_dav/util.c:396: (apr_err=175002)
svn: RA layer request failed
svn: REPORT request failed on '/repos/svn/trunk'
subversion/libsvn_ra_dav/util.c:81: (apr_err=175002)
svn: REPORT of '/repos/svn/trunk': Certificate verification failed
Regards,
Chris
________________________________________________________________
Index: subversion/libsvn_client/auth.c
===================================================================
--- subversion/libsvn_client/auth.c (revision 5483)
+++ subversion/libsvn_client/auth.c (working copy)
@@ -425,6 +425,7 @@
apr_pool_t *pool)
{
const char *temp_setting;
+ int failures_allow = 0;
svn_config_t *cfg = apr_hash_get (parameters,
SVN_AUTH_PARAM_CONFIG,
APR_HASH_KEY_STRING);
@@ -432,24 +433,42 @@
SVN_AUTH_PARAM_SERVER_GROUP,
APR_HASH_KEY_STRING);
- svn_auth_cred_server_ssl_t *cred =
- apr_palloc (pool, sizeof(svn_auth_cred_server_ssl_t));
-
- cred->failures_allow = 0;
temp_setting = svn_config_get_server_setting (cfg, server_group,
- "ssl-ignore-unknown-ca", NULL);
- cred->failures_allow = temp_setting ? SVN_AUTH_SSL_UNKNOWNCA : 0;
+ "ssl-ignore-unknown-ca",
+ "false");
+ if (strcasecmp (temp_setting, "true") == 0)
+ {
+ failures_allow |= SVN_AUTH_SSL_UNKNOWNCA;
+ }
+
temp_setting = svn_config_get_server_setting (cfg, server_group,
"ssl-ignore-host-mismatch",
- NULL);
- cred->failures_allow |= temp_setting ? SVN_AUTH_SSL_CNMISMATCH : 0;
+ "false");
+ if (strcasecmp (temp_setting, "true") == 0)
+ {
+ failures_allow |= SVN_AUTH_SSL_CNMISMATCH;
+ }
+
temp_setting = svn_config_get_server_setting (cfg, server_group,
"ssl-ignore-invalid-date",
- NULL);
- cred->failures_allow |=
- temp_setting ? (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED) : 0;
+ "false");
+ if (strcasecmp (temp_setting, "true") == 0)
+ {
+ failures_allow |= (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED);
+ }
+
+ if (failures_allow != 0)
+ {
+ svn_auth_cred_server_ssl_t *cred =
+ apr_palloc (pool, sizeof(svn_auth_cred_server_ssl_t));
+ cred->failures_allow = failures_allow;
+ *credentials = cred;
+ }
+ else
+ {
+ *credentials = NULL;
+ }
- *credentials = cred;
return SVN_NO_ERROR;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Mar 27 19:22:02 2003