[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: [PATCH] Fix for temporarily accepting ssl certificate not working injavahl

From: <bert_at_qqmail.nl>
Date: Fri, 14 Oct 2016 18:46:43 +0200

I applied your patch on trunk and nominated it for the next 1.9 release. I created a similar patch for 1.8 as the code has the same bug there. I think the problem became visible after checking the accepted failures was improved in our ra-serf library.

Bert
Sent from my Windows 10 phone

From: Doros Agathangelou
Sent: vrijdag 14 oktober 2016 02:37
To: dev_at_subversion.apache.org
Subject: [PATCH] Fix for temporarily accepting ssl certificate not working injavahl

Hi All

I discovered a small bug in javahl and I believe I have a one line patch that fixes it.

When connecting to a server via https and a self signed certificate is used on the server, we get a callback on UserPasswordCallback.askTrustSSLServer() method that asks the user whether to reject the certificate, accept it temporarily or accept it permanently.

If we choose temporarily, whatever operation we were attempting fails with a certificate not trusted error. The bug can be seen in a live environment by using the subclipse plugin under Eclipse and trying to load a repository using https:// from a server with a self signed certificate. When the accept certificate dialog comes up, hit accept temporarily and you can see that the operation fails because the certificate is not trusted.

As for the fix:
The following excerpt from Prompter.cpp shows the cred->accepted_failures = failures; line. This is the line that 'accepts' any identified errors.

This line can be seen under the AcceptPermanently section but it is missing under the AcceptTemporary section. Adding the line to the AcceptTemporary section fixes this problem. The difference between the two blocks of code then becomes whether the credentials may be saved or not (i.e. the cred->may_save differs)

 switch (authn.ask_trust_ssl_server(::Java::String(env, question), may_save))
    {
    case org_apache_subversion_javahl_callback_UserPasswordCallback_AcceptTemporary:
      cred->may_save = FALSE;
         cred->accepted_failures = failures;   // ** NEW LINE I ADDED **
      *cred_p = cred;
      break;
    case org_apache_subversion_javahl_callback_UserPasswordCallback_AcceptPermanently:
      cred->may_save = TRUE;
      cred->accepted_failures = failures;
      *cred_p = cred;
      break;
    default:
      *cred_p = NULL;
    }
  return SVN_NO_ERROR;

[[[
   Fix for temporarily accepting ssl certificate not working in javahl

   * subversion/bindings/javahl/native/Prompter.cpp
   (accept certificate temporarily): set the accepted failures to the identified failures in the temporarily accepted section
]]]

Best Regards
Doros
Received on 2016-10-14 18:46:55 CEST

This is an archived mail posted to the Subversion Dev mailing list.