[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn on OSX 10.7.3 can't find CA certificates

From: Zachary Burnham <zburnham_at_efi.org>
Date: Mon, 12 Mar 2012 10:03:16 -0400

On Mar 12, 2012, at 9:51 AM, Johan Corveleyn wrote:

On Mon, Mar 12, 2012 at 2:11 PM, Zachary Burnham <zburnham_at_efi.org<mailto:zburnham_at_efi.org>> wrote:
I don't believe I was getting this before I upgraded to Lion (10.7). OS X
does something kind of funky with ssl certificates, it keeps them in the
"keychain" which applications can then access. I did find instructions for
how to export the certificate and put it somewhere where svn can find it,
but unfortunately they didn't work for me.

I don't have access to the server where this repository lives,
unfortunately. I'm also not sure how to check to see what version of the
OpenSSL library this was built against.

Ok, if you don't have control over the repository to make sure the
entire cert-chain is sent, you can try the following: make sure that
the .pem file that you refer to in ~/.subversion/servers contains the
"immediate issuer" of the server cert that you're trying to accept. So
not the top-level CA, but the intermediate CA that has directly issued
the server cert that you want to trust. You should be able to find and
export this by examining the certificate chain from within your
browser (or within the KeyChain tool or something).

And if that works, contact the server administrator and ask him to let
the server provide the chain with the SSLCertificateChainFile
directive, so you can go back to trusting the top-level CA. 

--
Johan
It definitely has the 'immediate issuer' cert in it, Keychain Access does that decoding for us on OS X.  When you examine the certificate in Safari, it shows three "levels" of certificates.
Z
By the way, is top or bottom posting proper for this list?
_____________________
Zachary Burnham
Web Developer
EFI Consumer Division
1 Willow Street, Suite 2
Southborough, Massachusetts  01772-1026
508.870.2277 x4467 (o)
508.983.7880 (f)
zburnham_at_efi.org<mailto:zburnham_at_efi.org>
Corporate: efi.org<http://efi.org/>
Shop: energyfederation.org<http://energyfederation.org/>
Discuss: blog.energyfederation.org<http://blog.energyfederation.org/>
Follow: twitter.com/efi_org<http://twitter.com/efi_org>
CONFIDENTIALITY NOTICE: This message and attachments, if any, is intended only for the designated recipient to which it is addressed. It may contain proprietary information that is confidential or subject to copyright. If you are not the designated addressee or have otherwise received this email in error you are notified that printing, copying or distributing this message is prohibited and may be unlawful, in which case we request that you notify the sender by reply e-mail and permanently delete this message. Thank you.
Received on 2012-03-12 15:04:51 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.