You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Stefan Küng <to...@gmail.com> on 2006/06/10 16:29:09 UTC

ssl-trust-default-ca on windows

Hi,

The config option ssl-trust-default-ca doesn't work on windows. No 
matter what it is set to (and it already defaults to 'yes'), default CAs 
aren't used to check a server certificate.
This seems to be a problem in OpenSSL (or maybe it's intentional, don't 
know). Because OpenSSL doesn't know about the windows CryptoAPI and 
therefore can't read those default CAs.

I noticed the problem first when I tried to connect to a repository 
hosted on sourceforge.net - they have a valid and signed certificate for 
their Subversion server, but all Subversion clients still warned me 
about an unknown certificate, even though both IE and Firefox didn't.

My suggestion to 'fix' this would be to include our own default CA file 
with the Subversion windows installer. To make this work, Subversion 
would have to read that file and use it.
One problem I found with this approach: if there are more than one 
certificate in a pem file pointed to by the ssl-authority-files param, 
only the first in that file will be used. So I tried it differently: 
create a separat pem file for all the CAs I know, then add each of those 
files to the ssl-authority-files param separated by ';'. And this 
actually works.

But to make it easier for the user (and the installer) I suggest that 
the Subversion API defines a new server config option: 
ssl-authority-files-dir which will point to a directory with pem files 
in it. It can then parse that dir and load every pem file automatically. 
That param should default to the install dir of the Subversion client 
(or INSTALLDIR\ca or something like that).
All the installer would then have to do is to put all the pem files of 
the CAs in the same (or the subdir) directory as the binaries.

A pem file we could use to split up into several ones can be found here:
http://curl.haxx.se/docs/caextract.html - it's under the mozilla 
license, so I think it shouldn't be a problem.

What do you think?

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: ssl-trust-default-ca on windows

Posted by "D.J. Heap" <dj...@gmail.com>.

On 6/10/06, Stefan Küng <to...@gmail.com> wrote:
> Hi,
>
> The config option ssl-trust-default-ca doesn't work on windows. No
> matter what it is set to (and it already defaults to 'yes'), default CAs
> aren't used to check a server certificate.
> This seems to be a problem in OpenSSL (or maybe it's intentional, don't
> know). Because OpenSSL doesn't know about the windows CryptoAPI and
> therefore can't read those default CAs.
>
> I noticed the problem first when I tried to connect to a repository
> hosted on sourceforge.net - they have a valid and signed certificate for
> their Subversion server, but all Subversion clients still warned me
> about an unknown certificate, even though both IE and Firefox didn't.
>
> My suggestion to 'fix' this would be to include our own default CA file
> with the Subversion windows installer. To make this work, Subversion
> would have to read that file and use it.
> One problem I found with this approach: if there are more than one
> certificate in a pem file pointed to by the ssl-authority-files param,
> only the first in that file will be used. So I tried it differently:
> create a separat pem file for all the CAs I know, then add each of those
> files to the ssl-authority-files param separated by ';'. And this
> actually works.
>
> But to make it easier for the user (and the installer) I suggest that
> the Subversion API defines a new server config option:
> ssl-authority-files-dir which will point to a directory with pem files
> in it. It can then parse that dir and load every pem file automatically.
> That param should default to the install dir of the Subversion client
> (or INSTALLDIR\ca or something like that).
> All the installer would then have to do is to put all the pem files of
> the CAs in the same (or the subdir) directory as the binaries.
>
> A pem file we could use to split up into several ones can be found here:
> http://curl.haxx.se/docs/caextract.html - it's under the mozilla
> license, so I think it shouldn't be a problem.
>
> What do you think?
>
> Stefan


I think making this an option in the installer could be a good idea.
Since it will already work by putting the pem files in the config, I
doubt anyone will go to the work of adding an option unless you
provide a patch.  Even then, would the option just be ignored on unix
or what?

It also seems like handling changes to the default ca's could be
tricky -- I don't know how often that happens, though.  Usually the OS
handles those in its 'normal' update procedures, right?  I'm pretty
sure Windows does, and I would assume unix does.

Maybe it would be better to look into making OpenSSL pay attention to
Windows default ca's?  No idea what's involved with that.

DJ

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org