[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn ls https://... results in "The certificate has an unknown error"

From: Erik Wasser <erik.wasser_at_iquer.net>
Date: Mon, 7 Dec 2009 10:40:33 +0100

On Friday 04 December 2009 14:54:25 Joe Orton wrote:

> On Fri, Nov 06, 2009 at 10:33:26AM +0100, Erik Wasser wrote:
> > Running the same command at home brings me to this:
> >
> > % svn ls https://dev.int.example.net/
> > Error validating server certificate for
> > 'https://dev.int.example.net:443': - The certificate hostname does not
> > match.
> > - The certificate has expired.
> > - The certificate has an unknown error.
> > Certificate information:
> > - Hostname: *.example.net
> > - Valid: from Mon, 11 Jun 2007 00:00:00 GMT until Wed, 15 Sep 2010
> > 23:59:59 GMT
> > - Issuer: Comodo CA Limited, Salford, Greater Manchester, GB
> > - Fingerprint:
> > d2:d6:76:ee:7c:b1:87:ce:28:6a:0e:eb:c5:03:87:30:cf:1d:a7:b9 (R)eject or
> > accept (t)emporarily?
>
> Is this issue still reproducible with neon 0.29? The most obvious cause
> would be the system clock being wrong on this host.

Yes, it's still reproducible with neon 0.29. neon-0.28.6 is working and
neon-0.29.0 isn't working.

The problem ist that I got here two systems (both with a correct clock) and
one of them is working with version neon 0.29 and the other doesn't play
along. It's very strange.

> The second error "The certificate has an unknown error." is caused by
> SVN not handling some new cert verification failure modes in neon 0.29
> (NE_SSL_BADCHAIN, NE_SSL_REVOKED) - it would be helpful if you could
> file a bug on that against the "libsvn_ra_neon" component so this isn't
> forgotten.

Okay, I will do that.

> It is likely that the error being hit there is also an expired cert
> within the chain, and again, this could be caused by clock skew.

I'm controlling the server and the clients of the SSL cert and both have a
correct clock (syncing via NTP) so I think this is not case of misleading
time. 

-- 
So long... Erik
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2427769
Please start new threads on the <users_at_subversion.apache.org> mailing list.
To subscribe to the new list, send an empty e-mail to <users-subscribe_at_subversion.apache.org>.
Received on 2009-12-07 10:42:15 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.