Re: svn commit: rev 4602 - branches/issue-650-ssl-certs/subversion/libsvn_ra_dav

Joe Orton wrote:

On Wed, Jan 29, 2003 at 10:41:42AM -0700, David Waite wrote:
  

Joe Orton wrote:
    

Hi - these turn off security config options seem to be of dubious
value: ignoring common name mismatches and untrusted CAs both allow MITM
attacks if enabled. I think it's better to require manual intervention
for any cert validation errors.

How often, though? Once per server? Once per ra-hitting command?
Currently it is an option which requires manual override within a
configuration file, and which can (and should) be overridden on a
server-by-server basis. If these are not enabled in the configuration
file, it is always a fatal connection error.
    

I would say once per ra session: by manual intervention I meant a
prompt in the user interface.

That will probably be a fair amount of work: a good first step would be
to add the config options to load trusted CA certs, and remove the calls
to ne_ssl_set_verify so that a cert verification error is always fatal.
  

I disagree - there is no real difference between having the user hit 'Y'
to get around a certificate problem, vs having the user to append
overrides to a file to get around a certificate problem. The only
difference really is that someone does not blindly hit 'Y' to continue,
which in my opinion makes it more secure, not less.

-David Waite

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 14 02:24:14 2006