[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Make ssl auth prompt when server cert verification fails

From: David Waite <mass_at_akuma.org>
Date: 2003-03-28 04:13:53 CET

I have a similar change within my (ever-growing) patch - but it only
returns the credentials object if all conditions are met, not if only
some of the conditions are met.

(a FYI - Originally, the design was to pass the previous accepted
failures into the next provider, so that that information could be
displayed. i.e. the server hostname does not match the certificate, and
you expected that, but now it is expired as well. In the end, we decided
that this was a bit too much coupling between auth providers, so it got
pulled out.)

Hopefully I'll have the patch updated to head and sent out tonight
(assuming my mail stays up tonight ;-))

-David Waite

Chris Foote wrote:

>Oops, forgot the Log message.
>
>Use the server_ssl_prompt_provider when the server_ssl_file_provider
>does not get any 'ssl-ignore-*' config options.
>
>* subversion/libsvn_client/auth.c:
> (server_ssl_file_first_credentials): Set the failures_allow member only when the
> config has an ssl-ignore-* option set to 'true' and set the credentials. If no
> options are set then set credentials to NULL.
>
>Regards,
>Chris
>
>Index: subversion/libsvn_client/auth.c
>===================================================================
>--- subversion/libsvn_client/auth.c (revision 5480)
>+++ subversion/libsvn_client/auth.c (working copy)
>@@ -425,6 +425,7 @@
> apr_pool_t *pool)
> {
> const char *temp_setting;
>+ int failures_allow = 0;
> svn_config_t *cfg = apr_hash_get (parameters,
> SVN_AUTH_PARAM_CONFIG,
> APR_HASH_KEY_STRING);
>@@ -432,24 +433,42 @@
> SVN_AUTH_PARAM_SERVER_GROUP,
> APR_HASH_KEY_STRING);
>
>- svn_auth_cred_server_ssl_t *cred =
>- apr_palloc (pool, sizeof(svn_auth_cred_server_ssl_t));
>-
>- cred->failures_allow = 0;
> temp_setting = svn_config_get_server_setting (cfg, server_group,
>- "ssl-ignore-unknown-ca", NULL);
>- cred->failures_allow = temp_setting ? SVN_AUTH_SSL_UNKNOWNCA : 0;
>+ "ssl-ignore-unknown-ca",
>+ "false");
>+ if (strcasecmp (temp_setting, "true") == 0)
>+ {
>+ failures_allow |= SVN_AUTH_SSL_UNKNOWNCA;
>+ }
>+
> temp_setting = svn_config_get_server_setting (cfg, server_group,
> "ssl-ignore-host-mismatch",
>- NULL);
>- cred->failures_allow |= temp_setting ? SVN_AUTH_SSL_CNMISMATCH : 0;
>+ "false");
>+ if (strcasecmp (temp_setting, "true") == 0)
>+ {
>+ failures_allow |= SVN_AUTH_SSL_CNMISMATCH;
>+ }
>+
> temp_setting = svn_config_get_server_setting (cfg, server_group,
> "ssl-ignore-invalid-date",
>- NULL);
>- cred->failures_allow |=
>- temp_setting ? (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED) : 0;
>+ "false");
>+ if (strcasecmp (temp_setting, "true") == 0)
>+ {
>+ failures_allow |= (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED);
>+ }
>+
>+ if (failures_allow != 0)
>+ {
>+ svn_auth_cred_server_ssl_t *cred =
>+ apr_palloc (pool, sizeof(svn_auth_cred_server_ssl_t));
>+ cred->failures_allow = failures_allow;
>+ *credentials = cred;
>+ }
>+ else
>+ {
>+ *credentials = NULL;
>+ }
>
>- *credentials = cred;
> return SVN_NO_ERROR;
> }
>
>
>----- Original Message -----
>From: "Chris Foote" <Chris.Foote@v21.me.uk>
>To: <dev@subversion.tigris.org>
>Sent: Thursday, March 27, 2003 1:39 PM
>Subject: [PATCH] Make ssl auth prompt when server cert verification fails
>
>
>
>
>>The attached patch makes the ssl auth provider prompt when the
>>config either does not have the 'ssl-ignore-unknown-ca' option
>>set or it is set to anything other than 'true'.
>>
>>
>>
>>>svn info
>>>
>>>
>>Url: https://svn.collab.net/repos/svn/trunk
>>Revision: 5483
>>
>>
>>
>>>svn --version
>>>
>>>
>>svn, version 0.20.1 (dev build)
>> compiled Mar 27 2003, 12:09:42
>>
>>Steps to reproduce.
>>1) Edit the servers config so the option is not set.
>>
>>
>>
>>>vi ~/.subversion/servers
>>>
>>>
>># ssl-ignore-unknown-ca = true
>>
>>
>>>svn up
>>>
>>>
>>subversion/libsvn_ra_dav/util.c:396: (apr_err=175002)
>>svn: RA layer request failed
>>svn: REPORT request failed on '/repos/svn/trunk'
>>subversion/libsvn_ra_dav/util.c:81: (apr_err=175002)
>>svn: REPORT of '/repos/svn/trunk': Certificate verification failed
>>
>>This gives an error when it should be prompting.
>>
>>2) Edit the servers config so the option is set to 'true'.
>>
>>
>>
>>>vi ~/.subversion/servers
>>>
>>>
>>ssl-ignore-unknown-ca = true
>>
>>
>>>svn up
>>>
>>>
>>At revision 5483.
>>
>>Updates as expected.
>>
>>3) Edit the servers config so the option is set to 'false'.
>>
>>
>>
>>>vi ~/.subversion/servers
>>>
>>>
>>ssl-ignore-unknown-ca = false
>>
>>
>>>svn up
>>>
>>>
>>At revision 5483.
>>
>>This updates when it should be prompting.
>>
>>
>>After applying the patch I get:
>>1)
>>
>>
>>
>>>vi ~/.subversion/servers
>>>
>>>
>># ssl-ignore-unknown-ca = true
>>
>>
>>>svn up
>>>
>>>
>>Error validating server certificate: Unknown certificate issuer.
>>Accept? (y/N): y
>>At revision 5483.
>>
>>2)
>>
>>
>>
>>>vi ~/.subversion/servers
>>>
>>>
>>ssl-ignore-unknown-ca = true
>>
>>
>>>svn up
>>>
>>>
>>At revision 5483.
>>
>>3)
>>
>>
>>
>>>vi ~/.subversion/servers
>>>
>>>
>>ssl-ignore-unknown-ca = false
>>
>>
>>>svn up
>>>
>>>
>>Error validating server certificate: Unknown certificate issuer.
>>Accept? (y/N): y
>>At revision 5483.
>>
>>4) Using the non-interactive option, there is no prompt.
>>
>>
>>
>>>svn up --non-interactive
>>>
>>>
>>subversion/libsvn_ra_dav/util.c:396: (apr_err=175002)
>>svn: RA layer request failed
>>svn: REPORT request failed on '/repos/svn/trunk'
>>subversion/libsvn_ra_dav/util.c:81: (apr_err=175002)
>>svn: REPORT of '/repos/svn/trunk': Certificate verification failed
>>
>>
>>Regards,
>>Chris
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Mar 28 04:14:45 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.