[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sat, 20 Jul 2019 18:54:20 +0000

Stefan Sperling wrote on Sat, 20 Jul 2019 09:51 +00:00:
> But as a user I find it infuriating when software I use contains
> artificial restrictions like this. We should assume our users know
> what they are doing. Subversion is not a web browser.

I'm not entirely sure I'm convinced by this logic. Let's take OpenSSH for example:

[[[
% ed .ssh/known_hosts
g/^hermes/d
s/^[^ ]*/hermes.apache.org/
w
q
% ssh hermes.apache.org
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:gJUlDrKOTnUQ/lAx6eM4Ylq6z/5ere2tJoLEgrfM++A.
Please contact your system administrator.
Add correct host key in /home/daniel/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/daniel/.ssh/known_hosts:26
  remove with:
  ssh-keygen -f "/home/daniel/.ssh/known_hosts" -R hermes.apache.org
ECDSA host key for hermes.apache.org has changed and you have requested strict checking.
Host key verification failed.
zsh: exit 255 ssh hermes.apache.org
]]]

The error message does not give a way to continue the operation, but it
does tell you what command to run if you would like to proceed anyway.
This way, the buck stops with the user, but the program makes it quite
clear that this is an abnormal situation and caution should be
exercised.

Should we do something similar (but without the all-caps? That's why
I proposed writing a command that takes a certificate on stdin and marks
it as trusted.

Daniel
Received on 2019-07-20 20:54:39 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.