[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] get-location-segments.py would work on self-signed ssl servers too

From: Daniel Shahaf <danielsh_at_elego.de>
Date: Fri, 2 Sep 2011 13:12:35 +0300

Prabhu Gnana Sundar wrote on Fri, Sep 02, 2011 at 11:54:29 +0530:
> On Monday 22 August 2011 09:37 AM, Prabhu Gnana Sundar wrote:
> >On Thursday 18 August 2011 06:46 PM, Daniel Shahaf wrote:
> >>I tried your patch against
> >>https://svn.eu.apache.org/repos/asf/subversion/README
> >>(which uses a non-self-signed cert, but rather one for which the cert's
> >>hostname differs from the URI's hostname), and it didn't seem to work:
> >>
> >>[[[
> >> ./tools/examples/get-location-segments.py
> >>https://svn.eu.apache.org/repos/asf/subversion/README
> >>Untrusted cert details are as follows:
> >>--------------------------------------
> >>Issuer : 07969287,
> >>http://certificates.godaddy.com/repository, GoDaddy.com, Inc.,
> >>Scottsdale, Arizona, US
> >>Hostname : svn.apache.org
> >>ValidFrom : Thu, 13 Nov 2008 18:56:12 GMT
> >>ValidUpto : Thu, 26 Jan 2012 14:18:55 GMT
> >>Fingerprint: cc:54:a4:a9:ec:3a:9b:1c:23:ac:2d:57:c6:96:9f:5f:4a:1d:2d:86
> >>
> >>accept (t)temporarily (p)permanently: t
> >>Traceback (most recent call last):
> >> File "./tools/examples/get-location-segments.py", line 147,
> >>in<module>
> >> main()
> >> File "./tools/examples/get-location-segments.py", line 142, in main
> >> ra_session = ra.open(url, ra_callbacks, None, ctx.config)
> >> File "/usr/lib/pymodules/python2.6/libsvn/ra.py", line 534,
> >>in svn_ra_open
> >> return _ra.svn_ra_open(*args)
> >>svn.core.SubversionException: ("OPTIONS of
> >>'https://svn.eu.apache.org/repos/asf/subversion/README': Server
> >>certificate verification failed: certificate issued for a
> >>different hostname (https://svn.eu.apache.org)", 175002)
> >>zsh: exit 1 ./tools/examples/get-location-segments.py
> >>]]]
> >>
> >>What am I missing?
> >>
> >
> >Something interesting... It is failing for me only with neon, but
> >working fine with serf, seeing some inconsistencies here...
>
> Observations after immense exploration by Vijay and me...
>
> I am using OpenSSL0.9.8o and Neon0.27. The problem is that this
> version of OpenSSL does not have the SNI support whereas this
> version of neon has a (broken) default SNI support.
>
> This has been fixed in OpenSSL1.0.0d and Neon0.28.

I used OpenSSL 0.9.8o and Neon 0.29.3, so that should explain the
errors I saw. Thanks!
Received on 2011-09-02 12:14:30 CEST

This is an archived mail posted to the Subversion Dev mailing list.