[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [proposal] Add option for trusting server certs

From: Daniel Rall <dlr_at_finemaltcoding.com>
Date: 2005-09-26 20:34:12 CEST

On Sat, 24 Sep 2005, Ben Collins-Sussman wrote:

> Am I missing something? Why not add the self-signed cert's CA to the
> list of trusted CA's in the ~/.subversion/servers file? Then there'd
> be no prompting in the first place.

The only option I found in the book with which to register a trusted CA is
as follows:

  "Your run-time servers file also gives you the ability to make your
  Subversion client automatically trust specific CAs, either globally or on
  a per-host basis. Simply set the 'ssl-authority-files' variable to a
  semicolon-separated list of PEM-encoded CA certificates:

    [global]
    ssl-authority-files = /path/to/CAcert1.pem;/path/to/CAcert2.pem

  Many OpenSSL installations also have a pre-defined set of “default” CAs
  that are nearly universally trusted. To make the Subversion client
  automatically trust these standard authorities, set the
  'ssl-trust-default-ca' variable to 'true'."
    - http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.3.2

'ssl-authority-files' requires that I have ready access to the PEM-encoded
CA cert for every account on every machine from which I want to access the
server, and that the setup step of adding this information to the users'
~/.subversion/servers files be performed in each of those places. Given
the use case of non-interactivity, and ease of access to the CA cert, this
does not strike me as a particularly reasonable expectation from an user
experience perspective.

A callable version of 'ssl-trust-default-ca' option is what I want for
self-signed cert CAs, which appears to be the default for well-known CAs
(see libsvn_ra_dav/session.c):

      /* See if the user wants us to trust "default" openssl CAs. */
      trust_default_ca = svn_config_get_server_setting(
               cfg, server_group,
               SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA,
               "true");

      if (strcasecmp(trust_default_ca, "true") == 0)
        {
          ne_ssl_trust_default_ca(sess);
          ne_ssl_trust_default_ca(sess2);
        }

The key usability difference between 'ssl-authority-files' and
'ssl-trust-default-ca' is to make libsvn_ra_dav handle management of the CA
cert, rather than requiring N callers to do the management. Or Ben, were you
suggesting another way to implement this?

On Sat, 24 Sep 2005, Joe Orton wrote:

> On Fri, Sep 23, 2005 at 04:17:46PM -0700, Daniel L. Rall wrote:
> > Invocation of 'svn --non-interactive' which contacts a mod_dav_svn server
> > over SSL should be possible. Currently, this doesn't seem to be possible
> > for self-signed certificates.
>
> I think that all you really need here is a "--ignore-verify-failures"
> type option; a "turn off security" option for SSL.
>
> This should just be a local change to the cmdline UI which registers a
> server-cert auth provider and returns the equivalent of the "accept
> temporarily" option which the UI would present if driven interactively
> when an untrusted SSL cert is received.

Joe, were you thinking that this option would ignore more verification
failures than "untrusted CA"? I wouldn't want to tickle the completely
reasonable "turn off security -- NO!" reaction Brane mentioned.

> On 9/23/05, Daniel L. Rall <dlr@finemaltcoding.com> wrote:
> > Invocation of 'svn --non-interactive' which contacts a mod_dav_svn server
> > over SSL should be possible. Currently, this doesn't seem to be possible
> > for self-signed certificates.
> >
> >
> > Use case:
> >
> > Code which has auth credentials available but does not run interactively
> > should be able to contact a Subversion repository over SSL using ra_dav
> > without having to jump through hoops (see "Existing work-arounds" below).
> >
> >
> > Considerations:
> >
> > This is behavior inconsistent with other Subversion options and
> > sub-commands, which all (?) provide a means to turn off interactivity
> > without impacting their basic usage.
> >
> > svn's current behavior of identifying a server certificate as "issuer not
> > trusted" is consistent with most web browsers for questionable server certs,
> > which is to prompt for acceptance when a server cert with an unknown CA
> > (e.g. self-signed). However, the fact that this behavior is absolute is
> > not conducive to programmatic execution of svn or its APIs.
> >
> > I'm guessing that the experimental svnserve-ssl branch has similar issues,
> > and would need to conform to any API modification.
> > http://svn.collab.net/repos/svn/branches/svnserve-ssl/
> >
> >
> > Existing work-arounds:
> >
> > Open a pipe to the svn binary and omit --non-interactive. This has the
> > unfortunate site effect of requiring the caller to handle _all_ possible
> > interactivity, not just the "accept certificate" prompt (for instance, an
> > auth failure will also re-prompt for auth). Especially when the caller
> > actually desires the --non-interactive behavior for the non-server cert
> > case, this is less than ideal.
...

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 26 20:34:00 2005

This is an archived mail posted to the Subversion Dev mailing list.