[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

ssl-trust-default-ca on windows

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2006-06-10 18:29:09 CEST


The config option ssl-trust-default-ca doesn't work on windows. No
matter what it is set to (and it already defaults to 'yes'), default CAs
aren't used to check a server certificate.
This seems to be a problem in OpenSSL (or maybe it's intentional, don't
know). Because OpenSSL doesn't know about the windows CryptoAPI and
therefore can't read those default CAs.

I noticed the problem first when I tried to connect to a repository
hosted on sourceforge.net - they have a valid and signed certificate for
their Subversion server, but all Subversion clients still warned me
about an unknown certificate, even though both IE and Firefox didn't.

My suggestion to 'fix' this would be to include our own default CA file
with the Subversion windows installer. To make this work, Subversion
would have to read that file and use it.
One problem I found with this approach: if there are more than one
certificate in a pem file pointed to by the ssl-authority-files param,
only the first in that file will be used. So I tried it differently:
create a separat pem file for all the CAs I know, then add each of those
files to the ssl-authority-files param separated by ';'. And this
actually works.

But to make it easier for the user (and the installer) I suggest that
the Subversion API defines a new server config option:
ssl-authority-files-dir which will point to a directory with pem files
in it. It can then parse that dir and load every pem file automatically.
That param should default to the install dir of the Subversion client
(or INSTALLDIR\ca or something like that).
All the installer would then have to do is to put all the pem files of
the CAs in the same (or the subdir) directory as the binaries.

A pem file we could use to split up into several ones can be found here:
http://curl.haxx.se/docs/caextract.html - it's under the mozilla
license, so I think it shouldn't be a problem.

What do you think?


   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Jun 10 18:29:45 2006

This is an archived mail posted to the Subversion Dev mailing list.