[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Accepting a certificate with errors permanently

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sat, 26 Jun 2010 10:36:46 +0300 (Jerusalem Daylight Time)

dasony wrote on Fri, 25 Jun 2010 at 12:00 -0000:
> Hello,
> I have a https subversion server that has an expired and untrusted
> certificate, and for the time being, I have no way to fix it. I'd like
> to my subversion client to ignore the errors and accept it. Usually in
> a case like this, there was an option for accepting a certificate
> permanently, but it's not there this time.
> Error validating server certificate for 'https://sc.snu.ac.kr:443':
> - The certificate is not issued by a trusted authority. Use the
> fingerprint to validate the certificate manually!
> - The certificate has expired.
> - The certificate has an unknown error.
> Certificate information:
> - Hostname: [deleted]
> - Valid: from Thu, 11 Sep 2008 01:32:15 GMT until Fri, 11 Sep 2009
> 01:32:15 GMT
> - Issuer: [deleted]
> - Fingerprint: [deleted]

It's pretty pointless to say [deleted] here since you didn't delete the
URL in the first line of the error message.

> (R)eject or accept (t)emporarily? t
> Is there anyway to make it offer that option,

It will not offer "(p)ermanently" when an "unknown error" is reported.

> or for me to manually add it to the trusted list? I think I should add
> something to ~/.subversion/auth/svn.ssl.server/, but I am yet to find
> any document about this.

I am not sure this will work. And I strongly recommend that you don't
do it unless you know *exactly* which certificate you are permitting
(that warning message is there for a reason).


Still here? Okay. Let's see an example:

% cat ~/.subversion/auth/svn.ssl.simple/f54456629587b37334a88e776b1ceb0c
K 10
V 1664
MII<<<...1658 more characters...>>>80=
K 8
V 1
K 15
V 33

That's a serialized hash. The numbers after K and V are the number of
characters in the following line. The big base64'd value for
"ascii_cert" is the certificate itself.

The paranoid approach is to get the certificate from the server
administrators directly. The non-paranoid approach is to grab the
certificate presented by the server and save it. The third approach
is to make Subversion offer the '(p)ermanently' option anyway (this
requires a source-code patch).

> I am using svn, version 1.6.6 (r40053) on Ubuntu Lucid.
> Thanks in advance.
Received on 2010-06-26 09:36:24 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.