[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: New auth system and hostname mismatch

From: Adam Warner <lists_at_consulting.net.nz>
Date: 2003-04-22 12:38:08 CEST

Hi David Waite,

> However, my comment in response (after thinking about the issue) may
> still be valid - requiring the specification of an alternate host rather
> than completely ignoring host mismatches would be more strict and thus
> may be more desirable.
>
> For his example, he could get the wildcard behavior he wants using
> something like
>
> [groups]
> g1 = *.host.com
>
> [g1]
> ssl-host-override = host.com

Thanks for your replies David. This would be preferred. However the
existing server options workaround doesn't appear to work. This was added
to my ~/.subversion/servers file:

[groups]
macrology = *.macrology.co.nz

[macrology]
ssl-ignore-host-mismatch = true

Yet "svn up" still lead to:
$ svn up
Error validating server certificate: Unknown certificate issuer, Hostname
mismatch. Accept? (y/N): y
At revision 549.

I also had to add the option ssl-ignore-unknown-ca = true. If I understand
why this was necessary, it's because there is no certificate
*.macrology.co.nz. So an alias/host override would be essential in order
to get the issuer match to work.

BTW the new Mozilla browser has always treated my standard certificate as
a wildcard certificate. If you want to visit a work in progress,
https://nzae.macrology.co.nz you can test this for yourself. You should
find there is absolutely no warning that nzae.macrology.co.nz doesn't
match macrology.co.nz.

Regards,
Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 22 12:39:10 2003

This is an archived mail posted to the Subversion Dev mailing list.