Re: Problem with SSL auth with preshared certs E120171

On 20.01.2014 11:31, Simon D Morris wrote:
>
> Stefan Küng <tortoisesvn_at_gmail.com> wrote on 17/01/2014 20:14:53:
>
> >
> > Also: TSVN has the CAPI engine enabled in OpenSSL which might interfere
> > here in your situation. You can disable this by creating a DWORD value
> > in the registry under
> > HKCU\Software\TortoiseSVN\OpenSSLCapi
> > and set it to 0.
> > That will disable the CAPI engine.
> >
> > Stefan
>
>
> Tried the reg fix - it works fine now.
>
> I presume this is Windows' own crypto functions, certificate store etc?
> As far as I can tell, IE is happy with the site as I added my CA as
> trusted - so why does TSVN/openssl baulk?

You have a matching cert in the windows cert store, but that cert does
not authorize you to access the repo. Another cert is apparently needed
for that.

If there's only one cert that matches the server request in the cert
store, the OpenSSL CAPI engine uses that cert and does not offer a retry
if that cert does not succeed in authentication.

> If it's reasonably safe to disable, would it be sensible to add an
> option in TSVN? I'm going to be giving access to others, and I'd rather
> not have to have them poke around in the registry.

No, I won't add a visible option for this ever, because it only hides
the problem: you can solve the problem by importing the correct
certificate into the cert store and remove the other one, or you can
leave both if you really have to. But the cert that gives you access to
the repo *must* be properly imported into the cert store.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest interface to (Sub)version control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3071818
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].