[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: New auth system and hostname mismatch

From: David Waite <mass_at_akuma.org>
Date: 2003-04-22 10:00:31 CEST

There are a couple of different options here; you could add a hostname
mismatch override for those hosts, using something like the following in
the servers config file:

[groups]
macrology = *.macrology.co.nz

[macrology]
ssl-ignore-host-mismatch = true

You could also generate your own certificate authority certificate, and
generate your own wildcard certificate or certificate per host. This
would be no less valid for those subdomains.

The third and fourth options involve changing code; either a new flag
which treats certificates as wildcard certificates, or a server host
alias override. I would prefer the fourth option (its a lot less code
and appears more valid to me), but would probably want the
ssl-ignore-host-mismatch flag to go away if it was added.

What does everyone think, is this a useful enough option to put in, and
should the existing ignore option go away?

-David Waite

Adam Warner wrote:

>Hi all,
>
>I privately use subdomains with a non-wildcard globally trusted secure
>certificate (macrology.co.nz, issued by Comodo). Subversion's new (0.21)
>authority checking code complains about the hostname mismatch:
>
> Error validating server certificate: Unknown certificate issuer,
> Hostname mismatch. Accept? (y/N):
>
>Is here a rule I can add to the ~/./subversion/auth subdirectory to accept
>a subdomain.macrology.co.nz if macrology.co.nz is a valid certificate? In
>an ideal world I would have a wildcard certificate; but in an ideal world
>they also wouldn't be approximate ten times as expensive.
>
>Subversion is beginning to become a technology I can simply rely upon.
>Thanks for all the functionality and reliability improvements.
>
>Regards,
>Adam
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 22 10:01:39 2003

This is an archived mail posted to the Subversion Dev mailing list.