[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Regression: Bad cert handling in subversion 1.6.11

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sat, 3 Jul 2010 21:30:47 +0300 (Jerusalem Daylight Time)

Firstly, thanks for the very clear bug report.

Sören Bernstein wrote on Sat, 3 Jul 2010 at 09:04 -0000:
> Hello all
>
> since I've upgraded to subversion 1.6.11 found that there is a bug while
> accepting bad certs. This is also true for 1.6.12. I'm running gentoo stable
> amd64 and gentoo stable x86.
>
> While checking out a trunk from svn with a bad server cert, svn warns about
> it,but then it does not print the message with the options to except or
> dicard. Instead it sits and waits for user input, AFTER which it will show the
> input options.
>
> Subversion 1.6.9 does not have the error.
>
> Reproducible: Always
>
> Steps to Reproduce:
> 1. Install subversion 1.6.11
> 2. Checkout from a server with bad cert
> 3. Wait for the warning message of subversion
>
> Actual Results:
> Subversion will print the information about the bad certificate and waits for
> user input. After Input it will show the input options for the prior input.
>
> Expected Results:
> Subversion should print the input options before waiting for input.
>
> A svn trunk with broken server cert could be found at:
> https://svn.tabos.org/repos/ffgtk/trunk
>

I cannot reproduce this using either svn 1.6.12 or svn 1.7.0-dev
(>=r937607) on Windows, over neon, if I run

    svn co https://svn.tabos.org/repos/ffgtk/trunk

then I get the following prompt:

    [[[
    Error validating server certificate for 'https://svn.tabos.org:443':
     - The certificate is not issued by a trusted authority. Use the
       fingerprint to validate the certificate manually!
     - The certificate hostname does not match.
    Certificate information:
     - Hostname: *.krueger-it.net
     - Valid: from Sat, 07 Feb 2009 13:02:12 GMT until Mon, 07 Feb 2011 13:02:12 GMT

     - Issuer: http://www.cacert.org, Root CA
     - Fingerprint: a2:d3:f0:83:f9:8e:96:dd:d6:7f:9e:eb:1f:0c:6a:56:28:86:e9:21
    (R)eject, accept (t)emporarily or accept (p)ermanently?
    ]]]

Just to clarify, if you type 'R<newline>' blindly at the prompt, does svn
read that and proceed to (R)eject the certificate? (it should print an
error message)
Received on 2010-07-03 20:31:43 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.