[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

From: Tobias Ringström <tobias_at_ringstrom.mine.nu>
Date: 2003-07-21 22:11:23 CEST

The only reason I did not choose the extra config file directive is that
I thought that the system default authorities ought not to be used if
ssl-authorities-file was used. Well, I've changed my mind because I
cannot see how that could ever hurt.

Here goes patch number three which adds the new config option
ssl-trust-default-ca, tested and working. I hope you like it -- I know I
do! :-)

Here's the new log info:

* subversion/include/svn_config.h:
   Added new server config file directive, ssl-trust-default-ca.

* subversion/libsvn_subr/config_file.c (svn_config_ensure):
   Describe ssl-trust-default-ca in generated servers config files.

* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
   Only trust the default CAs if ssl-trust-default-ca is true.


Index: subversion/include/svn_config.h
--- subversion/include/svn_config.h (revision 6521)
+++ subversion/include/svn_config.h (working copy)
@@ -62,6 +62,7 @@
 #define SVN_CONFIG_OPTION_HTTP_COMPRESSION "http-compression"
 #define SVN_CONFIG_OPTION_NEON_DEBUG_MASK "neon-debug-mask"
 #define SVN_CONFIG_OPTION_SSL_AUTHORITIES_FILE "ssl-authorities-file"
+#define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
 #define SVN_CONFIG_OPTION_SSL_IGNORE_UNKNOWN_CA "ssl-ignore-unknown-ca"
 #define SVN_CONFIG_OPTION_SSL_IGNORE_INVALID_DATE "ssl-ignore-invalid-date"
 #define SVN_CONFIG_OPTION_SSL_IGNORE_HOST_MISMATCH "ssl-ignore-host-mismatch"
Index: subversion/libsvn_subr/config_file.c
--- subversion/libsvn_subr/config_file.c (revision 6521)
+++ subversion/libsvn_subr/config_file.c (working copy)
@@ -787,6 +787,7 @@
         "### http-timeout Timeout for HTTP requests in seconds\n"
         "### http-compression Whether to compress HTTP requests\n"
         "### neon-debug-mask Debug mask for Neon HTTP library\n"
+ "### ssl-trust-default-ca Whether to trust the system default CAs\n"
         "### ssl-authorities-file File listing known and trusted CAs\n"
         "### ssl-ignore-unknown-ca Allow untrusted server certificates\n"
         "### ssl-ignore-invalid-date Allow expired/postdated certificates\n"
Index: subversion/libsvn_ra_dav/session.c
--- subversion/libsvn_ra_dav/session.c (revision 6521)
+++ subversion/libsvn_ra_dav/session.c (working copy)
@@ -602,18 +602,28 @@
   if (is_ssl_session)
- const char *authorities_file;
+ const char *authorities_file, *trust_default_ca;
       authorities_file = svn_config_get_server_setting(
             cfg, server_group,
       if (authorities_file != NULL)
           ne_ssl_load_ca(sess, authorities_file);
           ne_ssl_load_ca(sess2, authorities_file);
+ trust_default_ca = svn_config_get_server_setting(
+ cfg, server_group,
+ "true");
+ if (strcasecmp(trust_default_ca, "true") == 0)
+ {
+ ne_ssl_load_default_ca(sess);
+ ne_ssl_load_default_ca(sess2);
+ }
       /* When the CA certificate or server certificate has
          verification problems, neon will call our verify function before
          outright rejection of the connection.*/

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 21 22:12:32 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.