[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Update from 1.8.5 to 1.8.8 breaks my self-signed numeric IP certificate

From: Ben Reser <ben_at_reser.org>
Date: Mon, 03 Mar 2014 15:23:26 -0800

On 3/3/14, 2:50 AM, Bert Huijben wrote:
>> -----Original Message-----
>> From: Daniel Widdis [mailto:widdis_at_gmail.com]
>> Sent: zaterdag 1 maart 2014 05:06
>> To: users_at_subversion.apache.org
>> Subject: Update from 1.8.5 to 1.8.8 breaks my self-signed numeric IP
>> certificate
>>
>> I recently upgraded from 1.8.5 to 1.8.8 via macports. The new version
>> refused to permanently accept my self-signed certificate, citing an
>> "unknown error".

Some background on this issue here:
http://stackoverflow.com/questions/22108914/subversion-server-ssl-certificate-verification-failed-and-other-reasons

> We fixed a bug in Subversion where we accidentally accepted certificate
> issues that were reported after a different first certificate problem.
>
> My guess would be that your selfsigned certificate is not completely valid,
> but we accidentally accepted it before because the first report was just
> that you weren't a known certificate authority. The second error could then
> be something like a problem in the certificate chain.

Bert's talking about this change from the CHANGES file:
    * ra_serf: properly ask multiple certificate validation providers for
      acceptance of certificate failures (r1535532)

Which is this change:
http://svn.apache.org/r1535532

I was under the impression that this didn't impact our command line client
because of the commit message that says we accept all or none of the failures.
 Looking at the code reinforces that view.

It's possible this change is somehow involved, but I'm not seeing how.

> It could help to upgrade your serf to the latest version as this changes the
> handling of a few certificate checks.
>
> If the internal error is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE (which I
> happened to reproduce locally some time ago), upgrading to the latest serf
> should resolve this problem for you.

The X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE error issue doesn't make any
sense in the context of a self-signed certificate so I really don't think this
related.

Can you verify which version of serf you're using. You can find this out by
running: svn --version -v

You'll get a lot of output but you're looking for this:
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.4
  - handles 'http' scheme
  - handles 'https' scheme

If you can do this with both the 1.8.5 and 1.8.8 version that would be
interesting. I don't use MacPorts myself but it looks like the serf-1 package
can be independently upgraded from subversion.

We were discussing this on IRC and Lieven suggested that we ask that you
generate a new key/cert pair and send them to us so we can try and replicate
the behavior. Because as things stand we're not sure what's wrong with the
certificate to trigger that other error. Your httpd.conf details would
probably be helpful as well.
Received on 2014-03-04 00:24:06 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.