[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Server cert approval on OS X

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Wed, 03 Sep 2008 13:27:13 -0400

Jack Repenning <jackrepenning_at_tigris.org> writes:
> Ref: issue 2870
>
> OK, I'm sure this is coming out of left field for most readers, but
> issue 2870 points out that Subversion is unable to trust server
> certificates even though they're totally properly certified by a well-
> known CA. (The work around is the well-known "accept (p)ermanently?"
> question.) The report attempts to broaden the issue, but it was
> originally filed against an OS X client, and I believe that the
> problem is in fact isolated to OS X.
>
> In fact, on OS X, I believe this is an OS bug: failure to configure
> the cert store. A proper store of root certs is included with the OS,
> updated by the updater, well maintained, and properly formatted for
> use by OpenSSL (used by Subversion). But, it's not in the right place.
> A symbolic link can fix it all:
>
> ln -s /usr/share/curl/curl-ca-bundle.crt /System/Library/OpenSSL/
> cert.pem
>
> The issue suggests using the X509Anchors keychain (which is what
> Safari uses, for example), but given that Apple does provide an
> OpenSSL-compatible certificate store, it seems like Subversion has a
> legitimate choice: there's duplicate data here. Arguably, that's a
> second OS bug: Apple should be synchronizing the two. I believe they
> *do* synchronize them, as shipped from the factory, but each of them
> can also be extended by the user, and my feeble experiments seem to
> say that such changes are *not* synced.
>
> But in any case, using "one or the other of the confusingly twain
> keychains" seems at the least a vast improvement over "using none at
> all."
>
> Would it be a satisfactory solution to make the necessary symbolic
> link during Subversion installation (or advise that in some readme)?

Or what about advising it in the specific error message, just on OS X?

In the meantime, I've linked to this thread from the issue.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-09-03 19:42:51 CEST

This is an archived mail posted to the Subversion Dev mailing list.