[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Thiiiiis close: SVN, OpenSSL, and OS X

From: Mark Phippard <markphip_at_gmail.com>
Date: Fri, 16 May 2008 19:47:58 -0400

On Fri, May 16, 2008 at 6:59 PM, Jack Repenning
<jackrepenning_at_tigris.org> wrote:
> Or, as Maxwell Smart used to say, "missed by THAT much!"
>
> As it turns out:
> * Subversion uses OpenSSL to do the "s" in https
> * Mac OS X comes with OpenSSL
> * SSL requires a bunch of "certifying authorities" to validate server
> certificates
> * Mac OS X comes with a bunch of 'em
> * ... but not installed anywhere that OpenSSL can find 'em!

FWIW, this same issue exists on Windows and Linux. I thought I recall
that Subversion or Neon does not turn on some option that would make
OpenSSL trust default CA's. I also thought I saw a recent thread that
implied these certs have to be compiled into OpenSSL or something.

> Has this ever been discussed here in dev@ (or users@, for that matter)? I
> couldn't find it.

I know the general issue has been discussed. Probably not in the
specific context you are bringing up.

> OS X ships the CA keys buried inside their sweet Keychain Access app, which
> is swell for folks who speak KeychainServices. But OpenSSL doesn't (some
> quibble about portability, perhaps?). Lacking the CA keyring, the user gets
> the famous "(r)eject, accept (t)emporarily, accept (p)ermanently" dialog, a
> minor annoyance to the command-line user, a larger one to the GUI user since
> most of us GUI implementers haven't bothered to GUIfy that.

I do not think the last statement is true. It is pretty trivial to
implement the callback for this. All of the GUI's I use support it.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-17 01:48:11 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.