The only reason I did not choose the extra config file directive is that
I thought that the system default authorities ought not to be used if
ssl-authorities-file was used. Well, I've changed my mind because I
cannot see how that could ever hurt.
Here goes patch number three which adds the new config option
ssl-trust-default-ca, tested and working. I hope you like it -- I know I
do! :-)
Here's the new log info:
* subversion/include/svn_config.h:
Added new server config file directive, ssl-trust-default-ca.
* subversion/libsvn_subr/config_file.c (svn_config_ensure):
Describe ssl-trust-default-ca in generated servers config files.
* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
Only trust the default CAs if ssl-trust-default-ca is true.
/Tobias
Index: subversion/include/svn_config.h
===================================================================
--- subversion/include/svn_config.h (revision 6521)
+++ subversion/include/svn_config.h (working copy)
@@ -62,6 +62,7 @@
#define SVN_CONFIG_OPTION_HTTP_COMPRESSION "http-compression"
#define SVN_CONFIG_OPTION_NEON_DEBUG_MASK "neon-debug-mask"
#define SVN_CONFIG_OPTION_SSL_AUTHORITIES_FILE "ssl-authorities-file"
+#define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
#define SVN_CONFIG_OPTION_SSL_IGNORE_UNKNOWN_CA "ssl-ignore-unknown-ca"
#define SVN_CONFIG_OPTION_SSL_IGNORE_INVALID_DATE "ssl-ignore-invalid-date"
#define SVN_CONFIG_OPTION_SSL_IGNORE_HOST_MISMATCH "ssl-ignore-host-mismatch"
Index: subversion/libsvn_subr/config_file.c
===================================================================
--- subversion/libsvn_subr/config_file.c (revision 6521)
+++ subversion/libsvn_subr/config_file.c (working copy)
@@ -787,6 +787,7 @@
"### http-timeout Timeout for HTTP requests in seconds\n"
"### http-compression Whether to compress HTTP requests\n"
"### neon-debug-mask Debug mask for Neon HTTP library\n"
+ "### ssl-trust-default-ca Whether to trust the system default CAs\n"
"### ssl-authorities-file File listing known and trusted CAs\n"
"### ssl-ignore-unknown-ca Allow untrusted server certificates\n"
"### ssl-ignore-invalid-date Allow expired/postdated certificates\n"
Index: subversion/libsvn_ra_dav/session.c
===================================================================
--- subversion/libsvn_ra_dav/session.c (revision 6521)
+++ subversion/libsvn_ra_dav/session.c (working copy)
@@ -602,18 +602,28 @@
if (is_ssl_session)
{
- const char *authorities_file;
+ const char *authorities_file, *trust_default_ca;
+
authorities_file = svn_config_get_server_setting(
cfg, server_group,
SVN_CONFIG_OPTION_SSL_AUTHORITIES_FILE,
NULL);
-
if (authorities_file != NULL)
{
ne_ssl_load_ca(sess, authorities_file);
ne_ssl_load_ca(sess2, authorities_file);
}
+ trust_default_ca = svn_config_get_server_setting(
+ cfg, server_group,
+ SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA,
+ "true");
+ if (strcasecmp(trust_default_ca, "true") == 0)
+ {
+ ne_ssl_load_default_ca(sess);
+ ne_ssl_load_default_ca(sess2);
+ }
+
/* When the CA certificate or server certificate has
verification problems, neon will call our verify function before
outright rejection of the connection.*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 21 22:12:32 2003