[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion and SSL *-certificates

From: Mark Phippard <markphip_at_gmail.com>
Date: 2007-04-17 17:07:26 CEST

On 4/17/07, Reinhard Brandstädter <reinhard.brandstaedter@jku.at> wrote:
> On Tuesday 17 April 2007 16:07, deckrider wrote:
> > If you look in ~/.subversion/servers you'll see a lot of ssl options
> > you can use.
> >
> > Also, check out ~/.subversion/README.txt for the locations of
> > site-wide and per-user configurations on the various supported
> > platforms.
>
> I know that these settings are there and how to use them. Nevertheless the SSL
> Library subversion seems to use considers a *-certificate as invalid although
> it's a valid certificate.
>
> The keypoint of this is:
> A user of these repositories either permanently accepts a invalid certificate
> or everytime he connects to the repository gets a hint that the certificate
> is invalid and accepts it. After some time he won't read the hint or check
> the certificate anymore. So if the certificate on the server gets compromised
> (and really invalid!) he'd still accept it (because he's used to it) - this
> is a security risk!

Can you paste in the exact message the user sees? I do not recall
Subversion ever making any claims about the validity of a certificate.
 What it does is show you the details of a certificate and ask you if
you want to accept it. It does this for all certificate, even ones
provided by root CA's.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 17 17:07:48 2007

This is an archived mail posted to the Subversion Users mailing list.