[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: certificate problems and 403 Forbidden for svn 0.25.0

From: Garret Wilson <garret_at_globalmentor.com>
Date: 2003-07-20 16:23:51 CEST

Thanks, Tobias, but for me this option is neither easier to use nor more
  secure.

First, my issue is not the prompting---it's the the failure to check
out. (I could even temporarily live with multiple prompts on checkout.)

Second, this solution would require me to distribute a separate file to
each new client who wishes to connect. That's not easier than simply
fixing the bug once and for all on the client.

And in theoretical terms it's not more secure. The whole idea of
certificate authorities is that they help authenticate certificates. If
a CA is used, it will recognize, for example, if you've decided to
revoke the certificate for a site. I don't think this would happen if
you've hard-configured a certificate on the client.

Lastly, I couldn't find "ssl-authorities-file" mentioned anywhere in the
Subversion book.

I could understand hard-configuring a root CA, but Subversion should
ship with a base list of authorized CAs, as browsers do.

But again, the real problem here is not the prompting---it's the failure
to check out. I guess you're saying that the checkout problem stems some
bug in the prompting, but I haven't yet confirmed whether this is the case.

Thanks for the suggestion in any case, but I don't think it's a good
option for me.

Garret

Tobias Ringstrom wrote:
> Garret Wilson wrote:
>
>> Yep, I just confirmed that I can checkout on my Linux server. But on
>> both Win2k and WinXP clients, I get:
>>
>> svn: RA layer request failed
>> svn: The path was not part of a repository
>> svn: PROPFIND request failed on '/'
>> svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
>>
>> This is not good---I can't check out my repositories on Win32 clients
>> (i.e. all of my clients). (I can't revert to an old svn version,
>> because the old svn versions would timeout because of a large number
>> of files in the repository. I don't even know if that problem has been
>> fixed, because now I can't even check out any repository.)
>
>
> You can get around the problem by installing the server certificate in
> your servers file. That solution is both easier to use and more secure.
> See the book for the full explanation, but it is essentially:
>
> [groups]
> ringstrom = ringstrom.mine.nu
>
> [ringstrom]
> ssl-authorities-file = /home/tori/.subversion/ringstrom.pem
>
> If you do it like this, you will not get the prompt at all (unless
> someone is trying to hack you).
>
> /Tobias

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jul 20 16:26:14 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.