[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion and SSL *-certificates

From: Reinhard Brandstädter <reinhard.brandstaedter_at_jku.at>
Date: 2007-04-17 16:59:58 CEST

On Tuesday 17 April 2007 16:07, deckrider wrote:
> If you look in ~/.subversion/servers you'll see a lot of ssl options
> you can use.
>
> Also, check out ~/.subversion/README.txt for the locations of
> site-wide and per-user configurations on the various supported
> platforms.

I know that these settings are there and how to use them. Nevertheless the SSL
Library subversion seems to use considers a *-certificate as invalid although
it's a valid certificate.

The keypoint of this is:
A user of these repositories either permanently accepts a invalid certificate
or everytime he connects to the repository gets a hint that the certificate
is invalid and accepts it. After some time he won't read the hint or check
the certificate anymore. So if the certificate on the server gets compromised
(and really invalid!) he'd still accept it (because he's used to it) - this
is a security risk!

Reinhard

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 17 17:00:24 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.