Or, as Maxwell Smart used to say, "missed by THAT much!"
As it turns out:
* Subversion uses OpenSSL to do the "s" in https
* Mac OS X comes with OpenSSL
* SSL requires a bunch of "certifying authorities" to validate
server certificates
* Mac OS X comes with a bunch of 'em
* ... but not installed anywhere that OpenSSL can find 'em!
Has this ever been discussed here in dev@ (or users@, for that
matter)? I couldn't find it.
OS X ships the CA keys buried inside their sweet Keychain Access app,
which is swell for folks who speak KeychainServices. But OpenSSL
doesn't (some quibble about portability, perhaps?). Lacking the CA
keyring, the user gets the famous "(r)eject, accept (t)emporarily,
accept (p)ermanently" dialog, a minor annoyance to the command-line
user, a larger one to the GUI user since most of us GUI implementers
haven't bothered to GUIfy that.
There's a quite straightforward end-user technique available to copy
the CAs out of Keychain Access and install them into OpenSSL (what you
do is, you copy them out of KA and drop them into the expected
directory), but having end-users do that is obviously undesirable.
What I'm wondering is, has anyone ever carried this complaint to
Apple? There's got to be a straightforward way for them to publish
the CA keyring where OpenSSL can find it (I use that slightly timid
and querulous tone because I did a bit of digging and learned that the
OS X CA keyring isn't ... *quite* ... handled like other keyrings,
sigh).
-==-
Jack Repenning
jackrepenning_at_tigris.org
Project Owner
SCPlugin
http://scplugin.tigris.org
"Subversion for the rest of OS X"
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-17 01:00:10 CEST