[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Built-In CA Certificates for https

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2006-06-10 18:14:41 CEST

Mark Phippard wrote:
> Eike Herzbach <tigris.aubncisdfh.20.disisit@spamgourmet.com> wrote on
> 06/09/2006 01:31:12 PM:
>
>> we have set up a svn server with apache2/mod_ssl and bought a ssl
> certificate,
>> expecting users would be able to connect without fuss.
>>
>> But unfortunately both the current TortoiseSVN aswell as the svn command
> line
>> client didn't have that CA built in, which was quite annoying since
> _every_ web
>> browser I tried (and I tried many, even older ones) knew the CA.
>>
>> My question: Why doesn't the svn clients have a current list of the CA
>> certificates built in?
>>
>> I guess it won't be much more than just integrating the certificates
> from
>> http://curl.haxx.se/docs/caextract.html into the build process...?
>
> I thought the default configuration of the servers file, even if OpenSSL
> knows about these CA's, is to not trust them. I think Subversion might
> already have the default CA's, it is just that it does not trust them.
>
> Go here: http://svn.haxx.se/ and search for: "ssl-trust-default-ca"

Actually, the 'ssl-trust-default-ca' param in the servers file defaults
already to yes. But on windows that doesn't work. Because OpenSSL
doesn't know anything about the windows CryptoAPI and its certificates.
Hell, I tried the last four hours to dig through that API to find a way
to validate a certificate and I couldn't make any sense of that API.

And it's not possible to build OpenSSL with certificates integrated as
Eike suggested with the link above. Curl has to add those certificates
on every startup to the OpenSSL session.

For me, that means I can't really 'fix' this in TSVN. This would require
some code changes in the Subversion (or neon) library.

Stefan 

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Sat Jun 10 18:14:58 2006

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.