[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r34179 - trunk/subversion/libsvn_ra_serf

From: Konstantin Kolinko <knst.kolinko_at_gmail.com>
Date: Fri, 14 Nov 2008 18:25:49 +0300

2008/11/14 Justin Erenkrantz <justin_at_erenkrantz.com>:
> On Fri, Nov 14, 2008 at 5:40 AM, Bert Huijben <b.huijben_at_competence.biz> wrote:
>> Why does serf ask to validate the entire chain?
>>
>> Every other client I know tries to validate certificates with a parent/root certificate and if that fails falls back to asking whether the user trusts the leaf certificate itself.
>
> Well, it's technically OpenSSL that does this. Now, perhaps serf
> could turn that off in OpenSSL, but, thinking about it, it makes sense
> to also present the entire chain - this is what FF3 et al do now.
>
>> If we would implement chain verification via the same api as the final certificate, the user would see several questions (in my case dialogs) before they can finally reach the https server. This is not common behavior.
>
> Go view a site that has a self-signed root CA and a bad server cert in
> FF3 and see how many times you have to explicitly approve your
> requests.
>

FYI:
My FF3 (3.0.4 on Windows) asked me only once.

I have bad (expired) server certificate signed by bad (expired) CA self-signed
certificate. FF asks me only once and about the server certificate only (it
says the cause: the _issuer_ certificate is expired).

Firstly it shows an error page with a "You can add an exception link". Following
that link opens a dialog that downloads, shows and allows to approve the server
certificate. The CA certificate is not shown by the dialog, is not
downloaded, and
is not added to the certificate storages when I approve the server certificate.

I can provide you with a link to the site, if you want.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-14 16:25:59 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.