[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion client, SSL and expiring CRLs

From: Tobias Ringström <tobias_at_ringstrom.mine.nu>
Date: 2005-03-01 12:52:35 CET

Graham Leggett wrote:

>If practical (in other words, if openssl can distinguish this error) could
>the message "certificate expired" be changed to "crl expired"? This should
>prevent people going on wild goose chases in future looking for expired
>certs when the certs have not actually expired :(
I've taken a quick look at your problem, and while OpenSSL is able to
distinguish the error you got, neon is not. I also found the following
TODO in the neon code:

    /* TODO: tricky to handle the 30-odd failure cases OpenSSL
     * presents here (see x509_vfy.h), and present a useful API to
     * the application so it in turn can then present a meaningful
     * UI to the user. The only thing to do really would be to
     * pass back the error string, but that's not localisable. So
     * just fail the verification here - better safe than
     * sorry. */

...but when that "code" is reached, it should generate an error message
that contains the error string from OpenSSL, but since you don't get
that, it looks like it's erroring out earlier, but I'm unsure how. It
might be a problem in how neon uses OpenSSL. Can you bring this up on
the Neon list? A reproduction recepie would probably be most welcome.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Mar 1 12:53:48 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.