[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Server cert approval on OS X

From: Jack Repenning <jackrepenning_at_tigris.org>
Date: Wed, 3 Sep 2008 10:21:23 -0700

Ref: issue 2870

OK, I'm sure this is coming out of left field for most readers, but
issue 2870 points out that Subversion is unable to trust server
certificates even though they're totally properly certified by a well-
known CA. (The work around is the well-known "accept (p)ermanently?"
question.) The report attempts to broaden the issue, but it was
originally filed against an OS X client, and I believe that the
problem is in fact isolated to OS X.

In fact, on OS X, I believe this is an OS bug: failure to configure
the cert store. A proper store of root certs is included with the OS,
updated by the updater, well maintained, and properly formatted for
use by OpenSSL (used by Subversion). But, it's not in the right place.
A symbolic link can fix it all:

  ln -s /usr/share/curl/curl-ca-bundle.crt /System/Library/OpenSSL/
cert.pem

The issue suggests using the X509Anchors keychain (which is what
Safari uses, for example), but given that Apple does provide an
OpenSSL-compatible certificate store, it seems like Subversion has a
legitimate choice: there's duplicate data here. Arguably, that's a
second OS bug: Apple should be synchronizing the two. I believe they
*do* synchronize them, as shipped from the factory, but each of them
can also be extended by the user, and my feeble experiments seem to
say that such changes are *not* synced.

But in any case, using "one or the other of the confusingly twain
keychains" seems at the least a vast improvement over "using none at
all."

Would it be a satisfactory solution to make the necessary symbolic
link during Subversion installation (or advise that in some readme)?

-==-
Jack Repenning
jackrepenning_at_tigris.org
Project Owner
SCPlugin
http://scplugin.tigris.org
"Subversion for the rest of OS X"

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-09-03 19:21:47 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.