You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Adam Warner <li...@consulting.net.nz> on 2003/04/22 01:35:56 UTC

New auth system and hostname mismatch

Hi all,

I privately use subdomains with a non-wildcard globally trusted secure
certificate (macrology.co.nz, issued by Comodo). Subversion's new (0.21)
authority checking code complains about the hostname mismatch:

   Error validating server certificate: Unknown certificate issuer,
   Hostname mismatch. Accept? (y/N):

Is here a rule I can add to the ~/./subversion/auth subdirectory to accept
a subdomain.macrology.co.nz if macrology.co.nz is a valid certificate? In
an ideal world I would have a wildcard certificate; but in an ideal world
they also wouldn't be approximate ten times as expensive.

Subversion is beginning to become a technology I can simply rely upon.
Thanks for all the functionality and reliability improvements.

Regards,
Adam


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: New auth system and hostname mismatch

Posted by David Waite <ma...@akuma.org>.

There are a couple of different options here; you could add a hostname
mismatch override for those hosts, using something like the following in
the servers config file:

[groups]
macrology = *.macrology.co.nz

[macrology]
ssl-ignore-host-mismatch = true

You could also generate your own certificate authority certificate, and
generate your own wildcard certificate or certificate per host.  This
would be no less valid for those subdomains.

The third and fourth options involve changing code; either a new flag
which treats certificates as wildcard certificates, or a server host
alias override. I would prefer the fourth option (its a lot less code
and appears more valid to me), but would probably want the
ssl-ignore-host-mismatch flag to go away if it was added.

What does everyone think, is this a useful enough option to put in, and
should the existing ignore option go away?

-David Waite

Adam Warner wrote:

>Hi all,
>
>I privately use subdomains with a non-wildcard globally trusted secure
>certificate (macrology.co.nz, issued by Comodo). Subversion's new (0.21)
>authority checking code complains about the hostname mismatch:
>
>   Error validating server certificate: Unknown certificate issuer,
>   Hostname mismatch. Accept? (y/N):
>
>Is here a rule I can add to the ~/./subversion/auth subdirectory to accept
>a subdomain.macrology.co.nz if macrology.co.nz is a valid certificate? In
>an ideal world I would have a wildcard certificate; but in an ideal world
>they also wouldn't be approximate ten times as expensive.
>
>Subversion is beginning to become a technology I can simply rely upon.
>Thanks for all the functionality and reliability improvements.
>
>Regards,
>Adam
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org