[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Hard time to verify ssl server certificate.

From: Tobias Ringström <tobias_at_ringstrom.mine.nu>
Date: 2005-03-03 00:24:31 CET

Josef Wolf wrote:

>>[I agree with everything Sussman has said, and I can confirm that neon
>>is only giving us the SHA-1 fingerprint, although it does not seem to be
>>documented anywhere.]
>>There are two problems here. The first is that Subversion does not
>>specify that it's displaying the SHA-1 fingerprint (although you tell in
>>a hackish way by the different fingerprint size), and the second is that
>>tinyca (which I know nothing about, btw) does not show you the SHA-1
>>fingerprint. I will work on making Subversion say that it's showing the
>>SHA-1 fingerprint, but you might want to contact the author of tinyca to
>>also show the SHA-1 fingerprint as well as the MD5 fingerprint.
>it looks to me that md5 is the default not only for tinyca, but for openssl
>too. Therefore it looks to me as if tinyca is doing the right thing. Thus,
I don't think the default value in OpenSSL is too interesting. One could
argue that SHA-1 is a better default because it's at least supposed to
be harder to fake. If you could point to an RFC or something that talks
about a recommended or required fingerprint hash, that would mean a lot

>IMHO, svn should print the sha1 digest only on DSA keys. Since svn doesn't
It's a certificate, not a key, and I don't understand why the key type
would have anything to do with the hash used to create the certificate's

>have options to select _which_ digest to print, both (md5 and sha1) should
>be printed.
I agree that it would be useful to print both, but as I said in my last
email, and as you confirmed in your reply, neon does not give us that

>>In the mean time, you should be able to generate an SHA-1 fingerprint
>>when you create the certificate using openssl using something like
>> openssl x509 -in server.crt -noout -fingerprint -sha1
>As I wrote earlier, this command don't work because svn stores the
>certificate in a format that is not recognized by the openssl command. :(
Read my suggestion again. Instead of trying to extract a piece from an
internal Subversion file (which is even created too late anyway) to
generate an MD5 fingerprint, a much better method is for you to generate
an SHA-1 fingerprint *when you create the certificate* and make that
fingerprint available for manual verification (as well as the MD5
fingerprint). You can do this today, and you don't have to wait until
Subversion (if ever) presents an MD5 fingerprint as well as the SHA-1


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 3 00:27:17 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.