[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem with SSL auth with preshared certs E120171

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Mon, 20 Jan 2014 18:47:05 +0100

On 20.01.2014 11:31, Simon D Morris wrote:
>
> Stefan Küng <tortoisesvn_at_gmail.com> wrote on 17/01/2014 20:14:53:
>
> >
> > Also: TSVN has the CAPI engine enabled in OpenSSL which might interfere
> > here in your situation. You can disable this by creating a DWORD value
> > in the registry under
> > HKCU\Software\TortoiseSVN\OpenSSLCapi
> > and set it to 0.
> > That will disable the CAPI engine.
> >
> > Stefan
>
>
> Tried the reg fix - it works fine now.
>
> I presume this is Windows' own crypto functions, certificate store etc?
> As far as I can tell, IE is happy with the site as I added my CA as
> trusted - so why does TSVN/openssl baulk?

You have a matching cert in the windows cert store, but that cert does
not authorize you to access the repo. Another cert is apparently needed
for that.

If there's only one cert that matches the server request in the cert
store, the OpenSSL CAPI engine uses that cert and does not offer a retry
if that cert does not succeed in authentication.

> If it's reasonably safe to disable, would it be sensible to add an
> option in TSVN? I'm going to be giving access to others, and I'd rather
> not have to have them poke around in the registry.

No, I won't add a visible option for this ever, because it only hides
the problem: you can solve the problem by importing the correct
certificate into the cert store and remove the other one, or you can
leave both if you really have to. But the cert that gives you access to
the repo *must* be properly imported into the cert store.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest interface to (Sub)version control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3071818
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-01-20 18:47:01 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.