[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Update from 1.8.5 to 1.8.8 breaks my self-signed numeric IP certificate

From: Daniel Widdis <widdis_at_gmail.com>
Date: Mon, 03 Mar 2014 18:46:04 -0600

Hi, Lieven. No worries about sending the key... I can generate a new
one if/when this gets resolved!

In regard to the serf1 conversation, I'm using the latest version on
macports, 1.3.2. I can work to try to get 1.3.4 loaded somehow but
understand that may not be required.

Here's the output of the openssl command you requested. This is using a
self-signed cert that works with 1.8.5 and fails with 1.8.8.

<danielwiddis> ~ $ openssl s_client -connect 192.168.100.59:443
CONNECTED(00000003)
depth=0 CN = 192.168.100.59
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = 192.168.100.59
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
  0 s:/CN=192.168.100.59
    i:/CN=192.168.100.59
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC2TCCAcGgAwIBAgIJAPKhN26bz/IrMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
BAMTDjE5Mi4xNjguMTAwLjU5MB4XDTE0MDMwMTAyMjExNloXDTI0MDIyNzAyMjEx
NlowGTEXMBUGA1UEAxMOMTkyLjE2OC4xMDAuNTkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDhpux+KA5HmT78yVFLiasC87R/TelmFlm64UimUllPJuQ/
n8Hwf+2Zinju675LZByPzAnV7qBhJa17o6RO73alUM1zBdK2Aow4TbJR7hbs5iaa
6W8z8GeCL4vo8pg7RHaTtiLu8+fiSgtR9A7+pSl7v91NhpEC9amd5HT95HQnJrD6
QssZEboKSqzWetR/uKjtG9/7VvIQW/kg4GLPHGC4uvQEbQhvClDDaIQ2b6Oxr6Zy
JTxjuzGh+GlewUOVfT0P6LphFVFZj5Q4XgnhUQcOp4dG2w7B+MokwDksHq/g0Mfy
tdPuZs+DxrB3NmTDV2yUK/CMjaf391VVGnf0zq7zAgMBAAGjJDAiMAsGA1UdDwQE
AwIEMDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAEor/
UEO6OKabsQhcAqi6cyjhbEbiDAM78IAQYD6HdY1+XQWNb3P+JxBoojKLJfcC5Lgf
7kvwWj3F0jeByxsHxcaNGmwEAnr1apuDZNb9o6++oHsMI5Cb8CznSjEUgsKhk8cK
dfH66dd2wHuPyrNVrKrkDFexvwuZ92NkT/WhCZkrWPUXz+F4dolAiIxvgNQkGSgc
aSUA/f9owl0/PJYOV542etU/fPTlwvAklsE8wMFPXwOyzWr/kueAYUSkKgN9/Vv4
2cw7VXXQmQjUGaKW2XQ12TIhtP5jRSpLevT9Dwp9LoCl5aq49gz+aUEWtRt0Vobm
U2pyvf2Ke++z7j+eBA==
-----END CERTIFICATE-----
subject=/CN=192.168.100.59
issuer=/CN=192.168.100.59
---
No client certificate CA names sent
---
SSL handshake has read 1611 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
004AEB4377EDD3362C1D36B88B51B21F6033065CDEBBC5EA78D0575242CDF6C3
     Session-ID-ctx:
     Master-Key: 
68784FE78DC7C4374FF2CEF0EC59AF4B8570EB75DC62806F987863DA4771C4D86D5ADCA9A7D112C51B403202BA26029A
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket:
     0000 - d8 1e ea f1 26 96 70 cc-02 37 2c 9d df 47 0d 8a ....&.p..7,..G..
     0010 - b5 4d 77 32 3c 7a e7 21-fc eb 3e 8f e9 da 36 d2 .Mw2<z.!..>...6.
     0020 - 1a da cb 52 64 92 ff f4-f5 54 7d e0 82 13 f4 b1 ...Rd....T}.....
     0030 - 74 77 3d 41 98 a5 38 a8-2a 9a 77 e4 ed 74 38 78 tw=A..8.*.w..t8x
     0040 - ff f6 36 55 75 5c 07 4c-c8 58 bd ea cc 31 09 72 ..6Uu\.L.X...1.r
     0050 - c3 b5 6d 65 fa a0 64 7a-f9 e0 dd c1 9f a4 f2 f8 ..me..dz........
     0060 - 9f e6 38 08 22 af 37 23-ca c5 1a d9 9b dd 9b 24 ..8.".7#.......$
     0070 - 19 77 c0 83 f8 a5 cc 70-fa c6 9d d9 da 67 9e 9a .w.....p.....g..
     0080 - 48 43 93 a0 86 1a 95 8d-f1 f5 a8 5e 23 07 16 41 HC.........^#..A
     0090 - 49 99 c9 e1 5e c3 fa 70-71 bb d8 16 2d 61 01 ab I...^..pq...-a..
     00a0 - 2e 8d a5 eb 2e 31 f7 81-61 6f ab ee 39 2c e4 12 .....1..ao..9,..
     00b0 - b3 46 b2 8c 9a dc a7 3d-2e a2 64 48 2b 14 b1 5e .F.....=..dH+..^
     Start Time: 1393893584
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
---
closed
On 3/3/14, 4:48 PM, Lieven Govaerts wrote:
> Hi Daniel,
>
> On Sat, Mar 1, 2014 at 5:06 AM, Daniel Widdis <widdis_at_gmail.com> wrote:
>> I recently upgraded from 1.8.5 to 1.8.8 via macports. The new version
>> refused to permanently accept my self-signed certificate, citing an "unknown
>> error".
>>
>> Certificates generated on Windows 2008 Server using VisualSVN 2.7.4.
>>
>> Hostname is a numeric IP on a VPN (192.168.100.59)
>>
>> Client is Mac OS X 10.9.1 (Mavericks) with svn installed via Macports:
>>    subversion @1.8.5_1+universal (active) <---- this setup works
>>    subversion @1.8.8_0+no_bdb+universal <---- this setup fails
>>
>> Under 1.8.8:
>> $ svn update
>> Updating '.':
>> Error validating server certificate for 'https://192.168.100.59:443':
>>   - The certificate has an unknown error.
>> Certificate information:
>>   - Hostname: 192.168.100.59
>>   - Valid: from Mar  1 02:21:16 2014 GMT until Feb 27 02:21:16 2024 GMT
>>   - Issuer:
>>   - Fingerprint: BE:C4:65:B6:0E:BD:5C:EE:F4:DB:A9:E1:EB:AE:B6:BC:43:F2:E7:5E
>> (R)eject or accept (t)emporarily? t
>> At revision 46.
> Could you send:
> - the output of:
>    $ openssl s_client -connect 192.168.100.59:443
> - and/or create a self signed key + cert using your method that fails
> with svn 1.8.8 ?
>
> This should give us the necessary extra info to simulate your issue.
>
> Note: since you're using a self signed certificate this log/key-cert
> pair shouldn't contain any private info, but if you prefer you can
> send them to me privately.
>
>
>> Under 1.8.5 with no other changes:
>> $ svn update
>> Updating '.':
>> At revision 46.
>>
> regards,
>
> Lieven
Received on 2014-03-04 01:46:38 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.