On Mon, Mar 12, 2012 at 2:11 PM, Zachary Burnham <zburnham_at_efi.org> wrote:
> I don't believe I was getting this before I upgraded to Lion (10.7). OS X
> does something kind of funky with ssl certificates, it keeps them in the
> "keychain" which applications can then access. I did find instructions for
> how to export the certificate and put it somewhere where svn can find it,
> but unfortunately they didn't work for me.
>
> I don't have access to the server where this repository lives,
> unfortunately. I'm also not sure how to check to see what version of the
> OpenSSL library this was built against.
Ok, if you don't have control over the repository to make sure the
entire cert-chain is sent, you can try the following: make sure that
the .pem file that you refer to in ~/.subversion/servers contains the
"immediate issuer" of the server cert that you're trying to accept. So
not the top-level CA, but the intermediate CA that has directly issued
the server cert that you want to trust. You should be able to find and
export this by examining the certificate chain from within your
browser (or within the KeyChain tool or something).
And if that works, contact the server administrator and ask him to let
the server provide the chain with the SSLCertificateChainFile
directive, so you can go back to trusting the top-level CA.
--
Johan
Received on 2012-03-12 14:52:06 CET