[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Fix for Issue # 1267

From: Shlomi Fish <shlomif_at_vipe.stud.technion.ac.il>
Date: 2003-07-20 16:46:32 CEST

On Sun, 20 Jul 2003, Ben Collins-Sussman wrote:

> Shlomi Fish <shlomif@vipe.technion.ac.il> writes:
>
> > Resolves Issue #1267 (Have to say "No" several times to reject SSL
> > certificate.)
> >
> > * session.c
> > (server_ssl_callback): modified this function to set the ssl_certificate
> > flags in the session baton.
> >
> > * ra_dav.h
> > Added the ssl_certificate flags to the svn_ra_session_t baton.
> >
> > * util.c
> > (svn_ra_dav__parsed_request): reset the ssl_certificate flags at the
> > beginning of the request. Check for an SSL rejection and if so,
> > return an authorization error.
>
> OK, I've finally studied this patch, and now it's *my* turn to object
> to it. (Poor Shlomi... :-) )
>
> This patch adds a global cache to the RA session object, so that
> svn_ra_dav__parsed_request can return SVN_ERR_RA_NOT_AUTHORIZED. This
> causes svn_ra_dav__search_for_starting_props to stop retrying PROPFIND
> requests on parent directories, because, at the moment, it's only
> ignoring the more generic SVN_ERR_RA_DAV_REQUEST_FAILED.
>
> But I don't like the RA-session cache at all; it seems to me like
> somehow, we're failing to use neon properly (or neon has a bug?).
> Notice that svn_ra_dav__parsed_request calls
> svn_ra_dav__convert_error, which tries to map neon return-values to
> svn error codes. In particular, a NE_AUTH failure code gets mapped to
> SVN_ERR_RA_NOT_AUTHORIZED. But this mapping isn't happening, because
> for some reason, neon is returning a generic error (NE_ERROR).
>

It does:

Studying the source code of Neon (check the ne_negotiate_ssl() function in
ne_session.c) seems that Neoen is returning NE_ERROR if the SSL
Certificate did not past the test. (In fact, it seems it is the only error
it returns).

My patch is the only way to determine if this happened because of a
rejection of an SSL certificate, because Neon does not return a special
error in this case.

It might be a Neon mis-behaviour, but we should deal with it somehow.

Regards,

        Shlomi Fish

----------------------------------------------------------------------
Shlomi Fish shlomif@vipe.technion.ac.il
Home Page: http://t2.technion.ac.il/~shlomif/

An apple a day will keep a doctor away. Two apples a day will keep two
doctors away.

        Falk Fish

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jul 20 16:47:55 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.