[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r34179 - trunk/subversion/libsvn_ra_serf

From: Justin Erenkrantz <justin_at_erenkrantz.com>
Date: Fri, 14 Nov 2008 12:12:53 -0500

On Fri, Nov 14, 2008 at 11:41 AM, Justin Erenkrantz
<justin_at_erenkrantz.com> wrote:
> On Fri, Nov 14, 2008 at 11:36 AM, Eric Gillespie <epg_at_pretzelnet.org> wrote:
>> What extra security? People just say "yes" and get on with their
>> work. Even me. You're not going to change that, nor is Firefox.
>
> No, but at least we're ensuring that the cert chain is valid. -- justin

If we're comfortable with always accepting invalid cert chains, we
could use the following patch.

But, it seems wrong. *shrug* -- justin

Index: subversion/libsvn_ra_serf/util.c
===================================================================
--- subversion/libsvn_ra_serf/util.c (revision 34185)
+++ subversion/libsvn_ra_serf/util.c (working copy)
@@ -115,6 +115,14 @@ ssl_server_cert(void *baton, int failures,
   apr_hash_t *issuer, *subject, *serf_cert;
   void *creds;

+#if SERF_VERSION_AT_LEAST(0, 3, 0)
+ /* Implicitly approve any non-server certs. */
+ if (serf_ssl_cert_depth(cert) > 0)
+ {
+ return APR_SUCCESS;
+ }
+#endif
+
   apr_pool_create(&subpool, conn->session->pool);

   /* Extract the info from the certificate */
@@ -161,23 +169,8 @@ ssl_server_cert(void *baton, int failures,
                          SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO,
                          &cert_info);

- /* OpenSSL/Serf will ask for validation of the entire chain (ie both
- * server and CA). This is generally a good thing - however, we need to
- * then make SVN's cert storage keyed off the certificate info so as
- * not to stomp on the entire chain on each request.
- *
- * If no hostname is provided in the cert, we'll construct the realmstring,
- * e.g. https://svn.collab.net:443
- */
- if (cert_info.hostname)
- {
- realmstring = cert_info.hostname;
- }
- else
- {
- realmstring = apr_uri_unparse(subpool, &conn->session->repos_url,
- APR_URI_UNP_OMITPATHINFO);
- }
+ realmstring = apr_uri_unparse(subpool, &conn->session->repos_url,
+ APR_URI_UNP_OMITPATHINFO);

   err = svn_auth_first_credentials(&creds, &state,
                                    SVN_AUTH_CRED_SSL_SERVER_TRUST,

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-14 18:13:07 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.