You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Garret Wilson <ga...@globalmentor.com> on 2003/07/16 14:31:55 UTC
certificate problems and 403 Forbidden for svn 0.25.0
I apologize if this is a known problem---I've been out of the country
for the past month.
I just upgraded server and client to svn 0.25.0. Now, when I try to
check out something from a secure server, I get:
Error validating server certificate: Unknown certificate issuer. Accept?
(y/N):
That's expected. I hit "y", and get:
Error validating server certificate: Unknown certificate issuer. Accept?
(y/N):
Error validating server certificate: Unknown certificate issuer. Accept?
(y/N):
(Two in a row.) I hit "y" again, and get:
svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND request failed on '/'
svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
Are there some install notes I missed for 0.25.0?
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by mark benedetto king <mb...@lowlatency.com>.
On Thu, Jul 17, 2003 at 10:30:10PM +0100, Chris Foote wrote:
> I think this is partly related to issue #1307.
> http://subversion.tigris.org/issues/show_bug.cgi?id=1307
>
> Here is the link to my original message which is similar to the problem
> you describe for the second prompt.
> http://www.contactor.se/~dast/svn/archive-2003-04/1502.shtml
>
> I've also added an alternative patch to the issue which tries to fix this
> another way.
>
> Regards,
> Chris
>
I've installed a copy of VS.NET so that I will be able to build and
test subversion on Win32. I plan on committing this patch then.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Chris Foote <Ch...@xtra.co.nz>.
I think this is partly related to issue #1307.
http://subversion.tigris.org/issues/show_bug.cgi?id=1307
Here is the link to my original message which is similar to the problem
you describe for the second prompt.
http://www.contactor.se/~dast/svn/archive-2003-04/1502.shtml
I've also added an alternative patch to the issue which tries to fix this
another way.
Regards,
Chris
----- Original Message -----
From: "Garret Wilson" <ga...@globalmentor.com>
To: "Ben Collins-Sussman" <su...@collab.net>
Cc: <de...@subversion.tigris.org>
Sent: Thursday, July 17, 2003 3:45 PM
Subject: Re: certificate problems and 403 Forbidden for svn 0.25.0
> I've been talking to Ben about this off the list, and it turns out my
> checkouts still are not working. For Ben, the checkout succeeds after
> several certificate prompts. For me (with both a Win2K and WinXP
> client), the checkout fails (see message below) and the second prompt
> doesn't actually wait for me to input anything.
>
> I've created a test repository for you to reproduce this problem. Note
> that this repository has *no* files in it, and it still causes me problems:
>
> repository: https://svn.globalmentor.com/test
> username: bcs
> password: svn
>
> D:\temp>svn co https://svn.globalmentor.com/test
> Error validating server certificate: Unknown certificate issuer. Accept?
> (y/N):
> y
> Error validating server certificate: Unknown certificate issuer. Accept?
> (y/N):
> Error validating server certificate: Unknown certificate issuer. Accept?
> (y/N):
> y
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND request failed on '/'
> svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
>
> I mentioned to Ben: Would the multiple prompts have anything to do with
> the fact that the certificate I'm using is from InstantSSL, which
> requires an extra CA certificate file to chain to the signing CA? (Other
> providers, such as Verisign and Thawte, don't require this chaining
> file---apparently because those CA's are already recognized by most
> browsers, but InstantSSLS piggybacks off of Comodo or something. I
> haven't researched exactly how it works.)
>
> SSLCertificateFile /usr/share/ssl/certs/svn.globalmentor.com.crt
> SSLCertificateKeyFile /usr/share/ssl/certs/svn.globalmentor.com.key
> SSLCACertificateFile /usr/share/ssl/certs/instantssl-ca-bundle.txt
>
> Garret
>
> Ben Collins-Sussman wrote:
> > Garret Wilson <ga...@globalmentor.com> writes:
> >
> >
> >>I just upgraded server and client to svn 0.25.0. Now, when I try to
> >>check out something from a secure server, I get:
> >>
> >>Error validating server certificate: Unknown certificate
> >>issuer. Accept? (y/N):
> >>
> >>That's expected. I hit "y", and get:
> >>
> >>Error validating server certificate: Unknown certificate
> >>issuer. Accept? (y/N):
> >>Error validating server certificate: Unknown certificate
> >>issuer. Accept? (y/N):
> >>
> >>(Two in a row.) I hit "y" again, and get:
> >>
> >>svn: RA layer request failed
> >>svn: The path was not part of a repository
> >>svn: PROPFIND request failed on '/'
> >>svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
> >>
> >>Are there some install notes I missed for 0.25.0?
> >
> >
> > I can't reproduce this error:
> >
> > $ svn ls https://svn.collab.net/repos/svn
> > Error validating server certificate: Unknown certificate issuer. Accept? (y/N):
> > y
> >
> > README
> > branches/
> > clients/
> > tags/
> > trunk/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by kf...@collab.net.
Garret Wilson <ga...@globalmentor.com> writes:
> I've confirmed that doing something similar to what you proposed, in
> order to remove prompts altogether, fixes the problem of checking out
> on a Win32 client.
>
> Karl, thanks for moving issue 1307 up to 0.28 so that the '\r'
> confusion in the prompting can get fixed now.
Heh, don't thank me, thank the person who will review and apply the
patch, or else fix it himself (probably Mike Pilato) :-).
-K
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
Tobias,
Tobias Ringstrom wrote:
> You can get around the problem by installing the server certificate in
> your servers file.
[...]
> If you do it like this, you will not get the prompt at all (unless
> someone is trying to hack you).
I've confirmed that doing something similar to what you proposed, in
order to remove prompts altogether, fixes the problem of checking out on
a Win32 client.
Karl, thanks for moving issue 1307 up to 0.28 so that the '\r' confusion
in the prompting can get fixed now.
Cheers,
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by David Waite <ma...@akuma.org>.
I was going to suggest just having ssl-authorities-file = default, but
this works too :-)
-David Waite
>
> I did add a new boolean config option at first
> (ssl-system-authorities), but I decided that I did not like it because
> I figured that the default value would need to change depending on
> whether ssl-authorities-file was used or not.
>
> How about the following solution? It will load the system CAs if
> ssl-authorities-file is not used, but not if ssl-authorities-file is
> used. You can get around that by prefixing the filename with a plus
> (+). I think that covers all cases. If you want to disable all CAs,
> you can point ssl-authorities-file to an empty file.
>
> Example 1:
>
> # Add our own CAs to the default ones
> ssl-authorities-file = +/etc/my-CAs.pem
>
> Example 2:
>
> # Only permit our own CAs:
> ssl-authorities-file = /etc/my-CAs.pem
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
This issue (checking trusted CAs) has been pushed off until at least
beta. That's OK, but what about the issue that brought this up---svn on
win32 will provide multiple certificate prompts and then fail with:
svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND request failed on '/'
svn: PROPFIND of '/': 403 Forbidden (https://svn.example.com)
(1) Has then been confirmed to be
http://subversion.tigris.org/issues/show_bug.cgi?id=1307 and (2) is
there a reason the patch shouldn't go in until beta?
On win32 I cannot check out *any* secure repository since 0.25.0. (I
have not yet tried the workaround of altering the list of trusted CAs so
that I don't get a prompt, but if this patch works, why not go with it?)
Really wanting to start using Subversion again (but not wanting to delve
into configuration files just yet),
Garret
P.S. Sorry for the duplicate message, Sander.
Sander Roobol wrote:
> On Mon, Jul 21, 2003 at 10:11:23PM +0200, Tobias Ringstr?m wrote:
>
>>* subversion/include/svn_config.h:
>> Added new server config file directive, ssl-trust-default-ca.
>>
>>* subversion/libsvn_subr/config_file.c (svn_config_ensure):
>> Describe ssl-trust-default-ca in generated servers config files.
>>
>>* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
>> Only trust the default CAs if ssl-trust-default-ca is true.
>
>
> Filed as issue 1443:
> http://subversion.tigris.org/issues/show_bug.cgi?id=1443
> Tobias, I couldn't add you to the CC list of this issue because you
> don't appear to have a tigris.org account. You can create one and add
> yourself to the issue's CC list to receive any updates to this issue by
> mail.
>
> Sander
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Sander Roobol <ph...@wanadoo.nl>.
On Mon, Jul 21, 2003 at 10:11:23PM +0200, Tobias Ringstr?m wrote:
> * subversion/include/svn_config.h:
> Added new server config file directive, ssl-trust-default-ca.
>
> * subversion/libsvn_subr/config_file.c (svn_config_ensure):
> Describe ssl-trust-default-ca in generated servers config files.
>
> * subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
> Only trust the default CAs if ssl-trust-default-ca is true.
Filed as issue 1443:
http://subversion.tigris.org/issues/show_bug.cgi?id=1443
Tobias, I couldn't add you to the CC list of this issue because you
don't appear to have a tigris.org account. You can create one and add
yourself to the issue's CC list to receive any updates to this issue by
mail.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
[PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
The only reason I did not choose the extra config file directive is that
I thought that the system default authorities ought not to be used if
ssl-authorities-file was used. Well, I've changed my mind because I
cannot see how that could ever hurt.
Here goes patch number three which adds the new config option
ssl-trust-default-ca, tested and working. I hope you like it -- I know I
do! :-)
Here's the new log info:
* subversion/include/svn_config.h:
Added new server config file directive, ssl-trust-default-ca.
* subversion/libsvn_subr/config_file.c (svn_config_ensure):
Describe ssl-trust-default-ca in generated servers config files.
* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
Only trust the default CAs if ssl-trust-default-ca is true.
/Tobias
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
Tobias Ringström wrote:
> I did add a new boolean config option at first (ssl-system-authorities),
> but I decided that I did not like it because I figured that the default
> value would need to change depending on whether ssl-authorities-file was
> used or not.
>
> How about the following solution? It will load the system CAs if
> ssl-authorities-file is not used, but not if ssl-authorities-file is
> used. You can get around that by prefixing the filename with a plus (+).
Syntactically, this would generate confusion. A parser would have to
parse the file to get the value, yet the value itself would have to be
parsed to separate "optional addition directive" from "filename." How
this would interact with some file system in the future that allows plus
signs is unknown.
Semantically, this is mixing two orthogonal ideas into one value:
boolean:append/replace and string:filename. It would be better to just
make a separate explicit boolean value, since this is in effect what's
going on anyway, just with a syntax that's proprietary and confusing.
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
mark benedetto king wrote:
> On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
>
>> ne_ssl_load_ca(sess, authorities_file);
>> ne_ssl_load_ca(sess2, authorities_file);
>> }
>>+ else
>>+ {
>>+ ne_ssl_load_default_ca(sess);
>>+ ne_ssl_load_default_ca(sess2);
>>+ }
>>
>
> I think that whether-or-not to load the default ca info is orthogonal
> to whether-or-not to load some user specific ca info, and thus deserves its
> own config option. All four permutations are reasonable, IMO.
I did add a new boolean config option at first (ssl-system-authorities),
but I decided that I did not like it because I figured that the default
value would need to change depending on whether ssl-authorities-file was
used or not.
How about the following solution? It will load the system CAs if
ssl-authorities-file is not used, but not if ssl-authorities-file is
used. You can get around that by prefixing the filename with a plus (+).
I think that covers all cases. If you want to disable all CAs, you can
point ssl-authorities-file to an empty file.
Example 1:
# Add our own CAs to the default ones
ssl-authorities-file = +/etc/my-CAs.pem
Example 2:
# Only permit our own CAs:
ssl-authorities-file = /etc/my-CAs.pem
I've attached the new patch. It applies to trunk rev 6521. Here is the
log entry:
* subversion/libsvn_subr/config_file.c (svn_config_ensure):
Explain the meaning of the + prefix for ssl-authorities-file
in the default server config file.
* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
Load the system default CAs by default, but not if
ssl-authorities-file is used, unless the filename is
prefixed by a plus (+).
/Tobias
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
mark benedetto king wrote:
> On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
>
>> ne_ssl_load_ca(sess, authorities_file);
>> ne_ssl_load_ca(sess2, authorities_file);
>> }
>>+ else
>>+ {
>>+ ne_ssl_load_default_ca(sess);
>>+ ne_ssl_load_default_ca(sess2);
>>+ }
>>
>
> I think that whether-or-not to load the default ca info is orthogonal
> to whether-or-not to load some user specific ca info, and thus deserves its
> own config option. All four permutations are reasonable, IMO.
Sure, why not, as long as the default CA info is loaded by default. I'll
look into it right away.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by mark benedetto king <mb...@lowlatency.com>.
On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
> ne_ssl_load_ca(sess, authorities_file);
> ne_ssl_load_ca(sess2, authorities_file);
> }
> + else
> + {
> + ne_ssl_load_default_ca(sess);
> + ne_ssl_load_default_ca(sess2);
> + }
>
I think that whether-or-not to load the default ca info is orthogonal
to whether-or-not to load some user specific ca info, and thus deserves its
own config option. All four permutations are reasonable, IMO.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
[PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Garret Wilson wrote:
> Uh, oh, the problem is even worse than I thought. The thing is, I *do*
> have a real certificate. Check for yourself: browse to
> https://svn.globalmentor.com/test/ and enter:
>
> [...]
>
> So I shouldn't even see the prompts in the first place. What's wrong?
Subversion. :-(
The problem is that Subversion never installs the system's SSL
authorities file. I think the following patch is a very good idea. I've
tested this patch on Linux for sites using both real and self-signed
certificates, with and without an ssl-authorities-file configuration
directive, and it works just fine. The patch is for 0.25, but applies on
trunk as well.
* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
Call ne_ssl_load_default_ca to install default CA authorities if no
authorities file was configured.
/Tobias
RE: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Daniel Stenberg <da...@haxx.se>.
On Mon, 21 Jul 2003, Sander Striker wrote:
> >> It works just as in Linux. There are no "system certificates" in windows,
> >> AFAIK. They are IE ones.
> >
> > Nope. See:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/certenumcertificatesinstore.asp
Thanks for correcting me. I'll go back to be quiet now! ;-)
--
Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Sander Striker <st...@apache.org>.
> From: Tobias Ringstrom [mailto:tobias@ringstrom.mine.nu]
> Sent: Monday, July 21, 2003 1:34 PM
[...]
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/certenumcertificatesinstore.asp
>
> Do you know if the Windows port of OpenSSL uses this?
AFAIK, it doesn't. I could be wrong though.
It's still something to consider implementing in Subversion or Neon.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Sander Striker wrote:
>>From: Sander Striker [mailto:striker@apache.org]
>>Sent: Monday, July 21, 2003 1:24 PM
>
>>>It works just as in Linux. There are no "system certificates" in windows,
>>>AFAIK. They are IE ones.
>>
>>Nope. See:
>
> [...wrong url...]
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/certenumcertificatesinstore.asp
Do you know if the Windows port of OpenSSL uses this?
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Sander Striker <st...@apache.org>.
> From: Sander Striker [mailto:striker@apache.org]
> Sent: Monday, July 21, 2003 1:24 PM
[...]
>> It works just as in Linux. There are no "system certificates" in windows,
>> AFAIK. They are IE ones.
>
> Nope. See:
[...wrong url...]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/certenumcertificatesinstore.asp
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Sander Striker <st...@apache.org>.
> From: Daniel Stenberg [mailto:daniel@haxx.se]
> Sent: Monday, July 21, 2003 1:18 PM
> On Mon, 21 Jul 2003, Tobias Ringström wrote:
>
> > > OpenSSL does not trust any CAs by default either; if you want to configure
> > > neon to trust the bundle of CA root certs which are included in OpenSSL
> > > you have to call ne_ssl_trust_default_ca (s/trust/load for neon 0.23) on
> > > the session object.
> >
> > I wonder how OpenSSL does this on Windows. Does it use a file just as in
> > Linux, or can it use the Windows system certificates?
>
> It works just as in Linux. There are no "system certificates" in windows,
> AFAIK. They are IE ones.
Nope. See:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/icertrequest2_getcaproperty.asp
For instance.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Daniel Stenberg <da...@haxx.se>.
On Mon, 21 Jul 2003, Tobias Ringström wrote:
> > OpenSSL does not trust any CAs by default either; if you want to configure
> > neon to trust the bundle of CA root certs which are included in OpenSSL
> > you have to call ne_ssl_trust_default_ca (s/trust/load for neon 0.23) on
> > the session object.
>
> I wonder how OpenSSL does this on Windows. Does it use a file just as in
> Linux, or can it use the Windows system certificates?
It works just as in Linux. There are no "system certificates" in windows,
AFAIK. They are IE ones.
--
Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Joe Orton wrote:
> OpenSSL does not trust any CAs by default either; if you want to
> configure neon to trust the bundle of CA root certs which are included
> in OpenSSL you have to call ne_ssl_trust_default_ca (s/trust/load for
> neon 0.23) on the session object.
Thanks Joe. I figured that out and submitted a simple patch just before
I got your email. Typical. :-)
I wonder how OpenSSL does this on Windows. Does it use a file just as in
Linux, or can it use the Windows system certificates?
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Joe Orton <jo...@manyfish.co.uk>.
On Mon, Jul 21, 2003 at 06:59:52AM +0200, Martin v. Löwis wrote:
> Garret Wilson <ga...@globalmentor.com> writes:
>
> > This also requires that I install some CA file on my web server, so
> > maybe neon has some problems with this extra CA step---but it works
> > fine with every browser I've used.
> >
> > So I shouldn't even see the prompts in the first place. What's wrong?
>
> I think you are missing a number of points here. Neon, by itself, does
> not trust any CA, neither Comodo Class 3 Security Services CA, nor GTE
> Cybertrust. You actively have to *configure* which certificates neon
> trust, and you have to do that on the client side.
>
> So you have to save both the Comodo certificate and the GTE
> certificate into a PEM file, and list this PEM file as
> ssl-authorities-file.
>
> Alternatively, you can have openssl trust these CAs by default - you
> would have to find out where openssl stores it CA certs and verify
> that the two certificates are listed there.
OpenSSL does not trust any CAs by default either; if you want to
configure neon to trust the bundle of CA root certs which are included
in OpenSSL you have to call ne_ssl_trust_default_ca (s/trust/load for
neon 0.23) on the session object.
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by "Martin v. Löwis" <ma...@v.loewis.de>.
Garret Wilson <ga...@globalmentor.com> writes:
> This also requires that I install some CA file on my web server, so
> maybe neon has some problems with this extra CA step---but it works
> fine with every browser I've used.
>
> So I shouldn't even see the prompts in the first place. What's wrong?
I think you are missing a number of points here. Neon, by itself, does
not trust any CA, neither Comodo Class 3 Security Services CA, nor GTE
Cybertrust. You actively have to *configure* which certificates neon
trust, and you have to do that on the client side.
So you have to save both the Comodo certificate and the GTE
certificate into a PEM file, and list this PEM file as
ssl-authorities-file.
Alternatively, you can have openssl trust these CAs by default - you
would have to find out where openssl stores it CA certs and verify
that the two certificates are listed there.
What CAs your browsers trust is completely irrelevant.
Regards,
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
Tobias Ringstrom wrote:
> If you have lots of users you should probably get a real certificate,
> but if that is not an option you can create a small installer that
> modifies the servers file as in my example.
[...]
> I'll try to explaing why I think that it's more secure to use the
> ssl-authorities-file directive. If you have a real (not self-signed)
> certificate, then the client accepts it because it is signed by one of
> the CAs in the openssl list (/usr/share/ssl/cert.pem on my system). You
> will not get a warning unless something is *really* wrong.
Uh, oh, the problem is even worse than I thought. The thing is, I *do*
have a real certificate. Check for yourself: browse to
https://svn.globalmentor.com/test/ and enter:
username: bcs
password: svn
Then check the certificate information. I have a valid InstantSSL
certificate. As I mentioned in an earlier e-mail, InstantSSL has some
relationship with Baltimore Technologies that uses "a new Root CA
Certificate" that is "trusted by over 99.3% of all current browsers...,
now equal to Verisign and Thawte" according to
http://www.instantssl.com/ssl-certificate-support/ssl-certificate-browser_compatibility.html
. This also requires that I install some CA file on my web server, so
maybe neon has some problems with this extra CA step---but it works fine
with every browser I've used.
So I shouldn't even see the prompts in the first place. What's wrong?
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringstrom <to...@ringstrom.mine.nu>.
Garret Wilson wrote:
> Thanks, Tobias, but for me this option is neither easier to use nor more
> secure.
You're very welcome, but I will not let you get away that easily! ;-)
> First, my issue is not the prompting---it's the the failure to check
> out. (I could even temporarily live with multiple prompts on checkout.)
Yup, and that's why I called it a workaround. The bug is real and
needs fixing, but even if it is fixed, my example would be more
secure. I'll explain why below.
> Second, this solution would require me to distribute a separate file to
> each new client who wishes to connect. That's not easier than simply
> fixing the bug once and for all on the client.
If you have lots of users you should probably get a real certificate,
but if that is not an option you can create a small installer that
modifies the servers file as in my example.
The problem is that if you tell all your users to just say yes to all
certificate warnings, they will not notice if the DNS is hacked to
point to another server. They will just say yes to any warning. The
warnings are there for a reason, and in most cases it is a mistake to
ignore it.
If you do not care about securety, I think http is a better choice.
> And in theoretical terms it's not more secure. The whole idea of
> certificate authorities is that they help authenticate certificates. If
> a CA is used, it will recognize, for example, if you've decided to
> revoke the certificate for a site. I don't think this would happen if
> you've hard-configured a certificate on the client.
To handle revocation of certificates, the client must support client
revocation lists, and I don't many clients actually do that. I hope
I'm wrong, though. I have no idea if subversion/neon does it.
> Lastly, I couldn't find "ssl-authorities-file" mentioned anywhere in the
> Subversion book.
That's a bummer. I must confess that I did not look at the book in
this case. I'm used to the book being so good that I was sure that it
did cover this as well. It is described in the servers config file,
though.
I'll try to explaing why I think that it's more secure to use the
ssl-authorities-file directive. If you have a real (not self-signed)
certificate, then the client accepts it because it is signed by one of
the CAs in the openssl list (/usr/share/ssl/cert.pem on my system).
You will not get a warning unless something is *really* wrong.
If you do not want to buy a real certificate you can create a
self-signed one, which I assume is what you've done. Since it is
self-signed it will not be accepted by openssl (unless you put it in
the system CA file), and you get a warning. If you just say yes to
that warning you have no way to detect if your DNS has been hijacked.
The solution is to verify once and for all that the certificate is
authentic, and then put it in the servers file as I demonstrated. If
your DNS is hijacked, the certificate will not match and you will get
a warning. As with a real certificate, a warning now indicates a
severe security problem.
This is why it is more secure, and I hope you agree now.
> I could understand hard-configuring a root CA, but Subversion should
> ship with a base list of authorized CAs, as browsers do.
Subversion uses neon which uses openssl, so the system's standard list
is used -- i.e. it works as it should. I do not know if neon uses
certificate revocation lists.
I have not tested it since I do not have a real certificate, but if it
does not work like that, then it's a bug.
> But again, the real problem here is not the prompting---it's the failure
> to check out. I guess you're saying that the checkout problem stems some
> bug in the prompting, but I haven't yet confirmed whether this is the case.
You could always try my solution and see if the problem goes away.
That should isolate it.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
Thanks, Tobias, but for me this option is neither easier to use nor more
secure.
First, my issue is not the prompting---it's the the failure to check
out. (I could even temporarily live with multiple prompts on checkout.)
Second, this solution would require me to distribute a separate file to
each new client who wishes to connect. That's not easier than simply
fixing the bug once and for all on the client.
And in theoretical terms it's not more secure. The whole idea of
certificate authorities is that they help authenticate certificates. If
a CA is used, it will recognize, for example, if you've decided to
revoke the certificate for a site. I don't think this would happen if
you've hard-configured a certificate on the client.
Lastly, I couldn't find "ssl-authorities-file" mentioned anywhere in the
Subversion book.
I could understand hard-configuring a root CA, but Subversion should
ship with a base list of authorized CAs, as browsers do.
But again, the real problem here is not the prompting---it's the failure
to check out. I guess you're saying that the checkout problem stems some
bug in the prompting, but I haven't yet confirmed whether this is the case.
Thanks for the suggestion in any case, but I don't think it's a good
option for me.
Garret
Tobias Ringstrom wrote:
> Garret Wilson wrote:
>
>> Yep, I just confirmed that I can checkout on my Linux server. But on
>> both Win2k and WinXP clients, I get:
>>
>> svn: RA layer request failed
>> svn: The path was not part of a repository
>> svn: PROPFIND request failed on '/'
>> svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
>>
>> This is not good---I can't check out my repositories on Win32 clients
>> (i.e. all of my clients). (I can't revert to an old svn version,
>> because the old svn versions would timeout because of a large number
>> of files in the repository. I don't even know if that problem has been
>> fixed, because now I can't even check out any repository.)
>
>
> You can get around the problem by installing the server certificate in
> your servers file. That solution is both easier to use and more secure.
> See the book for the full explanation, but it is essentially:
>
> [groups]
> ringstrom = ringstrom.mine.nu
>
> [ringstrom]
> ssl-authorities-file = /home/tori/.subversion/ringstrom.pem
>
> If you do it like this, you will not get the prompt at all (unless
> someone is trying to hack you).
>
> /Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringstrom <to...@ringstrom.mine.nu>.
Garret Wilson wrote:
> Yep, I just confirmed that I can checkout on my Linux server. But on
> both Win2k and WinXP clients, I get:
>
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND request failed on '/'
> svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
>
> This is not good---I can't check out my repositories on Win32 clients
> (i.e. all of my clients). (I can't revert to an old svn version, because
> the old svn versions would timeout because of a large number of files in
> the repository. I don't even know if that problem has been fixed,
> because now I can't even check out any repository.)
You can get around the problem by installing the server certificate in
your servers file. That solution is both easier to use and more
secure. See the book for the full explanation, but it is essentially:
[groups]
ringstrom = ringstrom.mine.nu
[ringstrom]
ssl-authorities-file = /home/tori/.subversion/ringstrom.pem
If you do it like this, you will not get the prompt at all (unless
someone is trying to hack you).
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
Yep, I just confirmed that I can checkout on my Linux server. But on
both Win2k and WinXP clients, I get:
svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND request failed on '/'
svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
This is not good---I can't check out my repositories on Win32 clients
(i.e. all of my clients). (I can't revert to an old svn version, because
the old svn versions would timeout because of a large number of files in
the repository. I don't even know if that problem has been fixed,
because now I can't even check out any repository.)
Chris and/or Mark, have you tried Chris' patch on Win32, and does it fix
the problem?
Thanks,
Garret
Tobias Ringström wrote:
> Garret Wilson wrote:
>
>> I've been talking to Ben about this off the list, and it turns out my
>> checkouts still are not working. For Ben, the checkout succeeds after
>> several certificate prompts. For me (with both a Win2K and WinXP
>> client), the checkout fails (see message below) and the second prompt
>> doesn't actually wait for me to input anything.
>
>
> Just to confirm that you are not alone, I saw exactly the same behaviour
> yesterday with Subversion 0.25.0 on a Win2k client. I did not have time
> to experiment with it at the time.
>
> /Tobias
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Tobias Ringström <to...@ringstrom.mine.nu>.
Garret Wilson wrote:
> I've been talking to Ben about this off the list, and it turns out my
> checkouts still are not working. For Ben, the checkout succeeds after
> several certificate prompts. For me (with both a Win2K and WinXP
> client), the checkout fails (see message below) and the second prompt
> doesn't actually wait for me to input anything.
Just to confirm that you are not alone, I saw exactly the same behaviour
yesterday with Subversion 0.25.0 on a Win2k client. I did not have time
to experiment with it at the time.
/Tobias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Garret Wilson <ga...@globalmentor.com>.
I've been talking to Ben about this off the list, and it turns out my
checkouts still are not working. For Ben, the checkout succeeds after
several certificate prompts. For me (with both a Win2K and WinXP
client), the checkout fails (see message below) and the second prompt
doesn't actually wait for me to input anything.
I've created a test repository for you to reproduce this problem. Note
that this repository has *no* files in it, and it still causes me problems:
repository: https://svn.globalmentor.com/test
username: bcs
password: svn
D:\temp>svn co https://svn.globalmentor.com/test
Error validating server certificate: Unknown certificate issuer. Accept?
(y/N):
y
Error validating server certificate: Unknown certificate issuer. Accept?
(y/N):
Error validating server certificate: Unknown certificate issuer. Accept?
(y/N):
y
svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND request failed on '/'
svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
I mentioned to Ben: Would the multiple prompts have anything to do with
the fact that the certificate I'm using is from InstantSSL, which
requires an extra CA certificate file to chain to the signing CA? (Other
providers, such as Verisign and Thawte, don't require this chaining
file---apparently because those CA's are already recognized by most
browsers, but InstantSSLS piggybacks off of Comodo or something. I
haven't researched exactly how it works.)
SSLCertificateFile /usr/share/ssl/certs/svn.globalmentor.com.crt
SSLCertificateKeyFile /usr/share/ssl/certs/svn.globalmentor.com.key
SSLCACertificateFile /usr/share/ssl/certs/instantssl-ca-bundle.txt
Garret
Ben Collins-Sussman wrote:
> Garret Wilson <ga...@globalmentor.com> writes:
>
>
>>I just upgraded server and client to svn 0.25.0. Now, when I try to
>>check out something from a secure server, I get:
>>
>>Error validating server certificate: Unknown certificate
>>issuer. Accept? (y/N):
>>
>>That's expected. I hit "y", and get:
>>
>>Error validating server certificate: Unknown certificate
>>issuer. Accept? (y/N):
>>Error validating server certificate: Unknown certificate
>>issuer. Accept? (y/N):
>>
>>(Two in a row.) I hit "y" again, and get:
>>
>>svn: RA layer request failed
>>svn: The path was not part of a repository
>>svn: PROPFIND request failed on '/'
>>svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
>>
>>Are there some install notes I missed for 0.25.0?
>
>
> I can't reproduce this error:
>
> $ svn ls https://svn.collab.net/repos/svn
> Error validating server certificate: Unknown certificate issuer. Accept? (y/N):
> y
>
> README
> branches/
> clients/
> tags/
> trunk/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: certificate problems and 403 Forbidden for svn 0.25.0
Posted by Ben Collins-Sussman <su...@collab.net>.
Garret Wilson <ga...@globalmentor.com> writes:
> I just upgraded server and client to svn 0.25.0. Now, when I try to
> check out something from a secure server, I get:
>
> Error validating server certificate: Unknown certificate
> issuer. Accept? (y/N):
>
> That's expected. I hit "y", and get:
>
> Error validating server certificate: Unknown certificate
> issuer. Accept? (y/N):
> Error validating server certificate: Unknown certificate
> issuer. Accept? (y/N):
>
> (Two in a row.) I hit "y" again, and get:
>
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND request failed on '/'
> svn: PROPFIND of '/': 403 Forbidden (https://svn.globalmentor.com)
>
> Are there some install notes I missed for 0.25.0?
I can't reproduce this error:
$ svn ls https://svn.collab.net/repos/svn
Error validating server certificate: Unknown certificate issuer. Accept? (y/N):
y
README
branches/
clients/
tags/
trunk/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org