[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] get-location-segments.py would work on self-signed ssl servers too

From: vijay <vijay_at_collab.net>
Date: Thu, 25 Aug 2011 21:59:12 +0530

On Monday 22 August 2011 09:37 AM, Prabhu Gnana Sundar wrote:
> On Thursday 18 August 2011 06:46 PM, Daniel Shahaf wrote:
>> I tried your patch against
>> https://svn.eu.apache.org/repos/asf/subversion/README
>> (which uses a non-self-signed cert, but rather one for which the cert's
>> hostname differs from the URI's hostname), and it didn't seem to work:
>>
>> [[[
>> ./tools/examples/get-location-segments.py
>> https://svn.eu.apache.org/repos/asf/subversion/README
>> Untrusted cert details are as follows:
>> --------------------------------------
>> Issuer : 07969287, http://certificates.godaddy.com/repository,
>> GoDaddy.com, Inc., Scottsdale, Arizona, US
>> Hostname : svn.apache.org
>> ValidFrom : Thu, 13 Nov 2008 18:56:12 GMT
>> ValidUpto : Thu, 26 Jan 2012 14:18:55 GMT
>> Fingerprint: cc:54:a4:a9:ec:3a:9b:1c:23:ac:2d:57:c6:96:9f:5f:4a:1d:2d:86
>>
>> accept (t)temporarily (p)permanently: t
>> Traceback (most recent call last):
>> File "./tools/examples/get-location-segments.py", line 147,
>> in<module>
>> main()
>> File "./tools/examples/get-location-segments.py", line 142, in main
>> ra_session = ra.open(url, ra_callbacks, None, ctx.config)
>> File "/usr/lib/pymodules/python2.6/libsvn/ra.py", line 534, in
>> svn_ra_open
>> return _ra.svn_ra_open(*args)
>> svn.core.SubversionException: ("OPTIONS of
>> 'https://svn.eu.apache.org/repos/asf/subversion/README': Server
>> certificate verification failed: certificate issued for a different
>> hostname (https://svn.eu.apache.org)", 175002)
>> zsh: exit 1 ./tools/examples/get-location-segments.py
>> ]]]
>>
>> What am I missing?
>>
>
> Something interesting... It is failing for me only with neon, but
> working fine with serf, seeing some inconsistencies here...
>
>
  I built neon with "OPENSSL_NO_TLSEXT "; then, it worked for me.:-)

You may want to look at here.

 From neon/src/ne_socket.c: ne_sock_connect_ssl()
<snip>
#ifdef SSL_set_tlsext_host_name
     if (ctx->hostname) {
         /* Try to enable SNI, but ignore failure (should only fail for
          * >255 char hostnames, which are probably not legal
          * anyway). */
         if (SSL_set_tlsext_host_name(ssl, ctx->hostname) != 1) {
             ERR_clear_error();
         }
     }
#endif
</snip>

Thanks & Regards,
Vijayaguru
Received on 2011-08-25 18:29:46 CEST

This is an archived mail posted to the Subversion Dev mailing list.