[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Patch] Autmatically trust valid certificates on windows via CryptoApi

From: Ivan Zhakov <chemodax_at_gmail.com>
Date: 2007-03-11 10:17:43 CET

Hi Bert,

I like idea of your patch and patch itself. I've not tested and
carefully reviewed it yet. I'll do it ASAP.

Would you also please provide the change log message for this commit, as
described in HACKING?

http://subversion.tigris.org/hacking.html#log-messages

Please be sure you've reviewed the rest of the hacking document as
well.

-- 
Ivan Zhakov
On 3/9/07, Bert Huijben <BHuijben@competence.biz> wrote:
>         Hi,
>
> Since Windows NT 4.0, Windows contains a standard infrastructure for
> handling certificates, which allows central-rollout of
> ssl-root-certificates. Subversion however uses its own infrastructure
> which requires us to roll-out the certificate twice for our subversion
> users (and build system).
>
> For my own .net 2.0 binding of the subversion api (Available on
> google-code), I developed a check to verify if a certificate which
> subversion does not trust yet, is trusted by Windows (to allow automatic
> acceptance if windows accepts the certificate and all its properties).
>
> I just reworked the implementation to an implementation which can be
> included in subversion itself (see the attached patch). The code should
> work on Windows 2000+ and probably on older versions of Windows if a
> recent version of Internet Explorer is installed. If the CryptoApi is
> not available and/or the certificate is not 100% trusted by the
> CryptoApi (e.g. Invalid date, etc.) the certificate is not accepted and
> the behavior is the same as when the certificate is not checked at all.
>
>         Bert
>
> The patch is created against svn-trunk; it has not enough context to
> work against the 1.4.X branch on which I developed it. (TortoiseSvn did
> not allow me to add more context).
> The Google code repositories are a nice testcase, as these have a global
> valid certificate
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Mar 11 10:17:58 2007

This is an archived mail posted to the Subversion Dev mailing list.