[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] get-location-segments.py would work on self-signed ssl servers too

From: Daniel Shahaf <danielsh_at_elego.de>
Date: Thu, 18 Aug 2011 16:16:09 +0300

I tried your patch against https://svn.eu.apache.org/repos/asf/subversion/README
(which uses a non-self-signed cert, but rather one for which the cert's
hostname differs from the URI's hostname), and it didn't seem to work:

[[[
 ./tools/examples/get-location-segments.py https://svn.eu.apache.org/repos/asf/subversion/README
Untrusted cert details are as follows:
--------------------------------------
Issuer : 07969287, http://certificates.godaddy.com/repository, GoDaddy.com, Inc., Scottsdale, Arizona, US
Hostname : svn.apache.org
ValidFrom : Thu, 13 Nov 2008 18:56:12 GMT
ValidUpto : Thu, 26 Jan 2012 14:18:55 GMT
Fingerprint: cc:54:a4:a9:ec:3a:9b:1c:23:ac:2d:57:c6:96:9f:5f:4a:1d:2d:86

accept (t)temporarily (p)permanently: t
Traceback (most recent call last):
  File "./tools/examples/get-location-segments.py", line 147, in <module>
    main()
  File "./tools/examples/get-location-segments.py", line 142, in main
    ra_session = ra.open(url, ra_callbacks, None, ctx.config)
  File "/usr/lib/pymodules/python2.6/libsvn/ra.py", line 534, in svn_ra_open
    return _ra.svn_ra_open(*args)
svn.core.SubversionException: ("OPTIONS of 'https://svn.eu.apache.org/repos/asf/subversion/README': Server certificate verification failed: certificate issued for a different hostname (https://svn.eu.apache.org)", 175002)
zsh: exit 1 ./tools/examples/get-location-segments.py
]]]

What am I missing?

Prabhu Gnana Sundar wrote on Thu, Aug 18, 2011 at 17:15:09 +0530:
> Hi all,
>
> Till now the get-location-segments.py script does not work against
> self-signed ssl servers. Now I have worked on
> the script and made it work even against the untrusted self-signed
> ssl servers.
>
> Attaching the patch and the log message with this mail. Please share
> your thoughts.
>
>
>
> Thanks and regards
> Prabhu

> get-location-segments.py script would now work for self-signed ssl servers too
>
> * tools/examples/get-location-segments.py
> (main): added a couple of auth providers to enable authenticating
> against self-signed ssl servers too (in interactive mode).
> (prompt_func_ssl_unknown_cert): new callback function
> (prompt_func_simple_prompt): new callback function
>
> Patch by: Prabhu Gnana Sundar <prabhugs{_AT_}collab.net>

> Index: tools/examples/get-location-segments.py
> ===================================================================
> --- tools/examples/get-location-segments.py (revision 1153033)
> +++ tools/examples/get-location-segments.py (working copy)
> @@ -21,6 +21,7 @@
> #
> import sys
> import os
> +import getpass
> from svn import client, ra, core
>
> def printer(segment, pool):
> @@ -71,6 +72,39 @@
> return url, peg_revision, start_revision, end_revision
>
>
> +def prompt_func_ssl_unknown_cert(realm, failures, cert_info, may_save, pool):
> + print "Untrusted cert details are as follows:"
> + print "--------------------------------------"
> + print "Issuer : " + str(cert_info.issuer_dname)
> + print "Hostname : " + str(cert_info.hostname)
> + print "ValidFrom : " + str(cert_info.valid_from)
> + print "ValidUpto : " + str(cert_info.valid_until)
> + print "Fingerprint: " + str(cert_info.fingerprint)
> + print ""
> + ssl_trust = core.svn_auth_cred_ssl_server_trust_t()
> + if may_save:
> + choice = raw_input( "accept (t)temporarily (p)permanently: ")
> + else:
> + choice = raw_input( "(r)Reject or accept (t)temporarily: ")
> + if choice == "t" or choice == "T":
> + ssl_trust.may_save = False
> + ssl_trust.accepted_failures = failures
> + if choice == "p" or choice == "P":
> + ssl_trust.may_save = True
> + ssl_trust.accepted_failures = failures
> + else:
> + ssl_trust = None
> + return ssl_trust
> +
> +def prompt_func_simple_prompt(realm, username, may_save, pool):
> + username = raw_input("username: ")
> + password = getpass.getpass(prompt="password: ")
> + simple_cred = core.svn_auth_cred_simple_t()
> + simple_cred.username = username
> + simple_cred.password = password
> + simple_cred.may_save = False
> + return simple_cred
> +
> def main():
> try:
> url, peg_revision, start_revision, end_revision = parse_args(sys.argv[1:])
> @@ -94,6 +128,8 @@
> providers = [
> client.get_simple_provider(),
> client.get_username_provider(),
> + core.svn_auth_get_simple_prompt_provider(prompt_func_simple_prompt, 2),
> + core.svn_auth_get_ssl_server_trust_prompt_provider(prompt_func_ssl_unknown_cert),
> client.get_ssl_server_trust_file_provider(),
> client.get_ssl_client_cert_file_provider(),
> client.get_ssl_client_cert_pw_file_provider(),
Received on 2011-08-18 15:17:16 CEST

This is an archived mail posted to the Subversion Dev mailing list.