Problem with JavaHL accepting SSL certificates temporary

[Mark Phippard <Ma...@softlanding.com>]

We have had a problem come up in Subclipse relating to accepting SSL 
certificates.  If the user takes the option (provided from JavaHL) to 
accept the certificate temporarily, then only the initial request works. 
Any subsequent requests to that server fail due to an invalid certificate. 

 In the best case scenario, some sort of temporary caching should be 
performed as the "Temporary" option verbage sugests.  In the worst case 
the user should be prompted every time.  What is happening is that all 
subsequent requests are acting as if they rejected the certificate, which 
is worse than the worst case.  This is the error you get:

org.tigris.subversion.javahl.ClientException: RA layer request failed
svn: PROPFIND request failed on '/repos/svn'
svn: PROPFIND of '/repos/svn': Server certificate verification failed: 
issuer is not trusted (https://svn.collab.net)

I have attached a patch for the JavaHL test suite that demonstrates the 
problem.  It uses the Subversion SSL repository for the test, so if you 
have already accepted that certificate you have to first remove it from 
your configuration area to see the problem.

The attached patch contains 2 other changes, which you can ignore.

1)  I changed the default repository type for the tests from BDB to fsfs.

2)  There is a new merge test I added back during the 1.2 RC period when 
there was a failure in JavaHL merge.  I just haven't removed the test and 
it is possible you might want to add it to the test suite.

Thanks

Mark 



_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs. 
_____________________________________________________________________________

Re: Problem with JavaHL accepting SSL certificates temporary

[Patrick Mayweg <ma...@qint.de>]

Hi Mark,
unfortunately I did not find time to look at your patch and debug that 
problem.
Regards,
Patrick

Mark Phippard wrote:

>I did not get any replies to this, so I am reposting.
>
>We have had a problem come up in Subclipse relating to accepting SSL 
>certificates.  If the user takes the option (provided from JavaHL) to 
>accept the certificate temporarily, then only the initial request works. 
>Any subsequent requests to that server fail due to an invalid certificate. 
>
>
> In the best case scenario, some sort of temporary caching should be 
>performed as the "Temporary" option verbage sugests.  In the worst case 
>the user should be prompted every time.  What is happening is that all 
>subsequent requests are acting as if they rejected the certificate, which 
>is worse than the worst case.  This is the error you get:
>
>org.tigris.subversion.javahl.ClientException: RA layer request failed
>svn: PROPFIND request failed on '/repos/svn'
>svn: PROPFIND of '/repos/svn': Server certificate verification failed: 
>issuer is not trusted (https://svn.collab.net)
>
>I have attached a patch for the JavaHL test suite that demonstrates the 
>problem.  It uses the Subversion SSL repository for the test, so if you 
>have already accepted that certificate you have to first remove it from 
>your configuration area to see the problem.
>
>The attached patch contains 2 other changes, which you can ignore.
>
>1)  I changed the default repository type for the tests from BDB to fsfs.
>
>2)  There is a new merge test I added back during the 1.2 RC period when 
>there was a failure in JavaHL merge.  I just haven't removed the test and 
>it is possible you might want to add it to the test suite.
>
>Thanks
>
>Mark 
>
>
>
>
>_____________________________________________________________________________
>Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs. 
>_____________________________________________________________________________
>
>------------------------------------------------------------------------
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Problem with JavaHL accepting SSL certificates temporary

[Mark Phippard <Ma...@softlanding.com>]

I did not get any replies to this, so I am reposting.

We have had a problem come up in Subclipse relating to accepting SSL 
certificates.  If the user takes the option (provided from JavaHL) to 
accept the certificate temporarily, then only the initial request works. 
Any subsequent requests to that server fail due to an invalid certificate. 


 In the best case scenario, some sort of temporary caching should be 
performed as the "Temporary" option verbage sugests.  In the worst case 
the user should be prompted every time.  What is happening is that all 
subsequent requests are acting as if they rejected the certificate, which 
is worse than the worst case.  This is the error you get:

org.tigris.subversion.javahl.ClientException: RA layer request failed
svn: PROPFIND request failed on '/repos/svn'
svn: PROPFIND of '/repos/svn': Server certificate verification failed: 
issuer is not trusted (https://svn.collab.net)

I have attached a patch for the JavaHL test suite that demonstrates the 
problem.  It uses the Subversion SSL repository for the test, so if you 
have already accepted that certificate you have to first remove it from 
your configuration area to see the problem.

The attached patch contains 2 other changes, which you can ignore.

1)  I changed the default repository type for the tests from BDB to fsfs.

2)  There is a new merge test I added back during the 1.2 RC period when 
there was a failure in JavaHL merge.  I just haven't removed the test and 
it is possible you might want to add it to the test suite.

Thanks

Mark 




_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs. 
_____________________________________________________________________________