Below there is a debug transcript of svn trying to connect to a repository that uses https://. I have added the root certificate to my .subversion/servers file and it does not error, so it loads the certificate ok. But, as you can see, it does not succeed in opening an ssl connection. Any help is much appreciated.
Z
ssl: Match common name 'GeoTrust Global CA' against ''
Identity match for '': bad
Doing SSL negotiation.
ssl: Verify callback @ 2 => 20
ssl: Verify failures |= 8 => 8
ssl: Verify callback @ 2 => 27
ssl: Verify failures |= 8 => 8
Chain depth: 3
ssl: Match common name '*.example.com' against ''
ssl: Match common name 'example.com' against ''
Identity match for '': bad
Cert #0:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 79158 (0x13536)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Validity
Not Before: Feb 12 02:34:03 2012 GMT
Not After : Apr 15 19:02:56 2013 GMT
Subject: serialNumber=jVTQv8THWlxpYsWrzFMyp8dJ9q6FsvBW, C=US, ST=Texas, L=Houston, O=Hosting Company, CN=*.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.example.com, DNS:example.com
X509v3 CRL Distribution Points:
URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl
X509v3 Subject Key Identifier:
70:0D:DE:7A:34:FD:D8:C8:BA:45:91:B1:54:97:E4:F4:2E:F5:74:5A
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt
Signature Algorithm: sha1WithRSAEncryption
<snip>
ssl: Match common name 'GeoTrust SSL CA' against ''
Identity match for '': bad
Cert #1:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 145104 (0x236d0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity
Not Before: Feb 19 22:39:26 2010 GMT
Not After : Feb 18 22:39:26 2020 GMT
Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Authority Key Identifier:
keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
URI:http://crl.geotrust.com/crls/gtglobal.crl
Authority Information Access:
OCSP - URI:http://ocsp.geotrust.com
Signature Algorithm: sha1WithRSAEncryption
<snip>
ssl: Match common name 'GeoTrust Global CA' against ''
Identity match for '': bad
Cert #2:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1227750 (0x12bbe6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: May 21 04:00:00 2002 GMT
Not After : Aug 21 04:00:00 2018 GMT
Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Subject Key Identifier:
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
URI:http://crl.geotrust.com/crls/secureca.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.geotrust.com/resources/repository
Signature Algorithm: sha1WithRSAEncryption
<snip>
ssl: Match common name '*.example.com' against 'sub.example.com'
Identity match for 'sub.example.com': good
Error validating server certificate for 'https://sub.example.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: *.example.com
- Valid: from Sun, 12 Feb 2012 02:34:03 GMT until Mon, 15 Apr 2013 19:02:56 GMT
- Issuer: GeoTrust, Inc., US
- Fingerprint: d1:a6:19:f6:04:33:e6:6f:dc:bb:f1:83:72:fc:ba:2a:b6:b7:a3:e5
(R)eject, accept (t)emporarily or accept (p)ermanently? r
SSL certificate checks failed: Server certificate verification failed: issuer is not trusted
svn: OPTIONS of 'https://sub.example.com/path': Server certificate verification failed: issuer is not trusted (https://sub.example.com)
_____________________
Zachary Burnham
Web Developer
EFI Consumer Division
1 Willow Street, Suite 2
Southborough, Massachusetts 01772-1026
508.870.2277 x4467 (o)
508.983.7880 (f)
zburnham_at_efi.org<mailto:zburnham_at_efi.org>
Corporate: efi.org<http://efi.org/>
Shop: energyfederation.org<http://energyfederation.org/>
Discuss: blog.energyfederation.org<http://blog.energyfederation.org/>
Follow: twitter.com/efi_org<http://twitter.com/efi_org>
CONFIDENTIALITY NOTICE: This message and attachments, if any, is intended only for the designated recipient to which it is addressed. It may contain proprietary information that is confidential or subject to copyright. If you are not the designated addressee or have otherwise received this email in error you are notified that printing, copying or distributing this message is prohibited and may be unlawful, in which case we request that you notify the sender by reply e-mail and permanently delete this message. Thank you.
Received on 2012-03-09 20:43:30 CET