Re: [PATCH] Make ssl auth prompt when server cert verification fails

Oops, forgot the Log message.

Use the server_ssl_prompt_provider when the server_ssl_file_provider
does not get any 'ssl-ignore-*' config options.

* subversion/libsvn_client/auth.c:
  (server_ssl_file_first_credentials): Set the failures_allow member only when the
  config has an ssl-ignore-* option set to 'true' and set the credentials. If no
  options are set then set credentials to NULL.

Regards,
Chris

Index: subversion/libsvn_client/auth.c
===================================================================
--- subversion/libsvn_client/auth.c (revision 5480)
+++ subversion/libsvn_client/auth.c (working copy)
@@ -425,6 +425,7 @@
                                    apr_pool_t *pool)
 {
   const char *temp_setting;
+ int failures_allow = 0;
   svn_config_t *cfg = apr_hash_get (parameters,
                                     SVN_AUTH_PARAM_CONFIG,
                                     APR_HASH_KEY_STRING);
@@ -432,24 +433,42 @@
                                            SVN_AUTH_PARAM_SERVER_GROUP,
                                            APR_HASH_KEY_STRING);
 
- svn_auth_cred_server_ssl_t *cred =
- apr_palloc (pool, sizeof(svn_auth_cred_server_ssl_t));
-
- cred->failures_allow = 0;
   temp_setting = svn_config_get_server_setting (cfg, server_group,
- "ssl-ignore-unknown-ca", NULL);
- cred->failures_allow = temp_setting ? SVN_AUTH_SSL_UNKNOWNCA : 0;
+ "ssl-ignore-unknown-ca",
+ "false");
+ if (strcasecmp (temp_setting, "true") == 0)
+ {
+ failures_allow |= SVN_AUTH_SSL_UNKNOWNCA;
+ }
+
   temp_setting = svn_config_get_server_setting (cfg, server_group,
                                                 "ssl-ignore-host-mismatch",
- NULL);
- cred->failures_allow |= temp_setting ? SVN_AUTH_SSL_CNMISMATCH : 0;
+ "false");
+ if (strcasecmp (temp_setting, "true") == 0)
+ {
+ failures_allow |= SVN_AUTH_SSL_CNMISMATCH;
+ }
+
   temp_setting = svn_config_get_server_setting (cfg, server_group,
                                                 "ssl-ignore-invalid-date",
- NULL);
- cred->failures_allow |=
- temp_setting ? (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED) : 0;
+ "false");
+ if (strcasecmp (temp_setting, "true") == 0)
+ {
+ failures_allow |= (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED);
+ }
+
+ if (failures_allow != 0)
+ {
+ svn_auth_cred_server_ssl_t *cred =
+ apr_palloc (pool, sizeof(svn_auth_cred_server_ssl_t));
+ cred->failures_allow = failures_allow;
+ *credentials = cred;
+ }
+ else
+ {
+ *credentials = NULL;
+ }
 
- *credentials = cred;
   return SVN_NO_ERROR;
 }
 

----- Original Message -----
From: "Chris Foote" <Chris.Foote@v21.me.uk>
To: <dev@subversion.tigris.org>
Sent: Thursday, March 27, 2003 1:39 PM
Subject: [PATCH] Make ssl auth prompt when server cert verification fails

> The attached patch makes the ssl auth provider prompt when the
> config either does not have the 'ssl-ignore-unknown-ca' option
> set or it is set to anything other than 'true'.
>
> > svn info
> Url: https://svn.collab.net/repos/svn/trunk
> Revision: 5483
>
> > svn --version
> svn, version 0.20.1 (dev build)
> compiled Mar 27 2003, 12:09:42
>
> Steps to reproduce.
> 1) Edit the servers config so the option is not set.
>
> > vi ~/.subversion/servers
> # ssl-ignore-unknown-ca = true
> > svn up
> subversion/libsvn_ra_dav/util.c:396: (apr_err=175002)
> svn: RA layer request failed
> svn: REPORT request failed on '/repos/svn/trunk'
> subversion/libsvn_ra_dav/util.c:81: (apr_err=175002)
> svn: REPORT of '/repos/svn/trunk': Certificate verification failed
>
> This gives an error when it should be prompting.
>
> 2) Edit the servers config so the option is set to 'true'.
>
> > vi ~/.subversion/servers
> ssl-ignore-unknown-ca = true
> > svn up
> At revision 5483.
>
> Updates as expected.
>
> 3) Edit the servers config so the option is set to 'false'.
>
> > vi ~/.subversion/servers
> ssl-ignore-unknown-ca = false
> > svn up
> At revision 5483.
>
> This updates when it should be prompting.
>
>
> After applying the patch I get:
> 1)
>
> > vi ~/.subversion/servers
> # ssl-ignore-unknown-ca = true
> > svn up
> Error validating server certificate: Unknown certificate issuer.
> Accept? (y/N): y
> At revision 5483.
>
> 2)
>
> > vi ~/.subversion/servers
> ssl-ignore-unknown-ca = true
> > svn up
> At revision 5483.
>
> 3)
>
> > vi ~/.subversion/servers
> ssl-ignore-unknown-ca = false
> > svn up
> Error validating server certificate: Unknown certificate issuer.
> Accept? (y/N): y
> At revision 5483.
>
> 4) Using the non-interactive option, there is no prompt.
>
> > svn up --non-interactive
> subversion/libsvn_ra_dav/util.c:396: (apr_err=175002)
> svn: RA layer request failed
> svn: REPORT request failed on '/repos/svn/trunk'
> subversion/libsvn_ra_dav/util.c:81: (apr_err=175002)
> svn: REPORT of '/repos/svn/trunk': Certificate verification failed
>
>
> Regards,
> Chris
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Mar 28 02:36:17 2003