On 6/10/06, Stefan Küng <firstname.lastname@example.org> wrote:
> The config option ssl-trust-default-ca doesn't work on windows. No
> matter what it is set to (and it already defaults to 'yes'), default CAs
> aren't used to check a server certificate.
> This seems to be a problem in OpenSSL (or maybe it's intentional, don't
> know). Because OpenSSL doesn't know about the windows CryptoAPI and
> therefore can't read those default CAs.
> I noticed the problem first when I tried to connect to a repository
> hosted on sourceforge.net - they have a valid and signed certificate for
> their Subversion server, but all Subversion clients still warned me
> about an unknown certificate, even though both IE and Firefox didn't.
> My suggestion to 'fix' this would be to include our own default CA file
> with the Subversion windows installer. To make this work, Subversion
> would have to read that file and use it.
> One problem I found with this approach: if there are more than one
> certificate in a pem file pointed to by the ssl-authority-files param,
> only the first in that file will be used. So I tried it differently:
> create a separat pem file for all the CAs I know, then add each of those
> files to the ssl-authority-files param separated by ';'. And this
> actually works.
> But to make it easier for the user (and the installer) I suggest that
> the Subversion API defines a new server config option:
> ssl-authority-files-dir which will point to a directory with pem files
> in it. It can then parse that dir and load every pem file automatically.
> That param should default to the install dir of the Subversion client
> (or INSTALLDIR\ca or something like that).
> All the installer would then have to do is to put all the pem files of
> the CAs in the same (or the subdir) directory as the binaries.
> A pem file we could use to split up into several ones can be found here:
> http://curl.haxx.se/docs/caextract.html - it's under the mozilla
> license, so I think it shouldn't be a problem.
> What do you think?
I think making this an option in the installer could be a good idea.
Since it will already work by putting the pem files in the config, I
doubt anyone will go to the work of adding an option unless you
provide a patch. Even then, would the option just be ignored on unix
It also seems like handling changes to the default ca's could be
tricky -- I don't know how often that happens, though. Usually the OS
handles those in its 'normal' update procedures, right? I'm pretty
sure Windows does, and I would assume unix does.
Maybe it would be better to look into making OpenSSL pay attention to
Windows default ca's? No idea what's involved with that.
To unsubscribe, e-mail: email@example.com
For additional commands, e-mail: firstname.lastname@example.org
Received on Fri Jun 16 14:40:44 2006