[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[proposal] Add option for trusting server certs

From: Daniel L. Rall <dlr_at_finemaltcoding.com>
Date: 2005-09-24 01:17:46 CEST

Invocation of 'svn --non-interactive' which contacts a mod_dav_svn server
over SSL should be possible. Currently, this doesn't seem to be possible
for self-signed certificates.

Use case:

Code which has auth credentials available but does not run interactively
should be able to contact a Subversion repository over SSL using ra_dav
without having to jump through hoops (see "Existing work-arounds" below).

Considerations:

This is behavior inconsistent with other Subversion options and
sub-commands, which all (?) provide a means to turn off interactivity
without impacting their basic usage.

svn's current behavior of identifying a server certificate as "issuer not
trusted" is consistent with most web browsers for questionable server certs,
which is to prompt for acceptance when a server cert with an unknown CA
(e.g. self-signed). However, the fact that this behavior is absolute is
not conducive to programmatic execution of svn or its APIs.

I'm guessing that the experimental svnserve-ssl branch has similar issues,
and would need to conform to any API modification.
http://svn.collab.net/repos/svn/branches/svnserve-ssl/

Existing work-arounds:

Open a pipe to the svn binary and omit --non-interactive. This has the
unfortunate site effect of requiring the caller to handle _all_ possible
interactivity, not just the "accept certificate" prompt (for instance, an
auth failure will also re-prompt for auth). Especially when the caller
actually desires the --non-interactive behavior for the non-server cert
case, this is less than ideal.

Suggested interface:

Add the equivalent of a 'svn --trust-server-cert' argument to the
libsvn_client and libsvn_ra APIs, and exposed it via the command-line
client.

Existing implementation:

libsvn_ra_dav indirectly invokes Neon's ne_openssl.c:check_certificate()
(passing in some callbacks), which hands back an error saying that the
server cannot be trusted:

    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
        /* TODO: and probably more result codes here... */
        failures |= NE_SSL_UNTRUSTED;
    ...
    if (failures == 0) {
        /* verified OK! */
        ret = NE_OK;
    } else {
        /* Set up the error string. */
        verify_err(sess, failures);
        ret = NE_ERROR;
        /* Allow manual override */
        if (sess->ssl_verify_fn &&
            sess->ssl_verify_fn(sess->ssl_verify_ud, failures, chain) == 0)
            ret = NE_OK;
    }

Neon allows errors to be ignored via a ne_session callback:

/* A callback which is used when server certificate verification is
 * needed. The reasons for verification failure are given in the
 * 'failures' parameter, which is a binary OR of one or more of the
 * above NE_SSL_* values. failures is guaranteed to be non-zero. The
 * callback must return zero to accept the certificate: a non-zero
 * return value will fail the SSL negotiation. */
typedef int (*ne_ssl_verify_fn)(void *userdata, int failures,
                                const ne_ssl_certificate *cert);

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 24 01:18:34 2005

This is an archived mail posted to the Subversion Dev mailing list.