You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Tobias Ringström <to...@ringstrom.mine.nu> on 2003/07/21 10:33:58 UTC

[PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Garret Wilson wrote:
> Uh, oh, the problem is even worse than I thought. The thing is, I *do* 
> have a real certificate. Check for yourself: browse to 
> https://svn.globalmentor.com/test/ and enter:
 >
 > [...]
> 
> So I shouldn't even see the prompts in the first place. What's wrong?

Subversion. :-(

The problem is that Subversion never installs the system's SSL 
authorities file. I think the following patch is a very good idea. I've 
tested this patch on Linux for sites using both real and self-signed 
certificates, with and without an ssl-authorities-file configuration 
directive, and it works just fine. The patch is for 0.25, but applies on 
trunk as well.

* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
   Call ne_ssl_load_default_ca to install default CA authorities if no
   authorities file was configured.

/Tobias

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by David Waite <ma...@akuma.org>.

I was going to suggest just having ssl-authorities-file = default, but 
this works too :-)

-David Waite

>
> I did add a new boolean config option at first 
> (ssl-system-authorities), but I decided that I did not like it because 
> I figured that the default value would need to change depending on 
> whether ssl-authorities-file was used or not.
>
> How about the following solution? It will load the system CAs if 
> ssl-authorities-file is not used, but not if ssl-authorities-file is 
> used. You can get around that by prefixing the filename with a plus 
> (+). I think that covers all cases. If you want to disable all CAs, 
> you can point ssl-authorities-file to an empty file.
>
> Example 1:
>
>     # Add our own CAs to the default ones
>     ssl-authorities-file = +/etc/my-CAs.pem
>
> Example 2:
>
>     # Only permit our own CAs:
>     ssl-authorities-file = /etc/my-CAs.pem 




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by Garret Wilson <ga...@globalmentor.com>.

This issue (checking trusted CAs) has been pushed off until at least 
beta. That's OK, but what about the issue that brought this up---svn on 
win32 will provide multiple certificate prompts and then fail with:

svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND request failed on '/'
svn: PROPFIND of '/': 403 Forbidden (https://svn.example.com)

(1) Has then been confirmed to be 
http://subversion.tigris.org/issues/show_bug.cgi?id=1307 and (2) is 
there a reason the patch shouldn't go in until beta?

On win32 I cannot check out *any* secure repository since 0.25.0. (I 
have not yet tried the workaround of altering the list of trusted CAs so 
that I don't get a prompt, but if this patch works, why not go with it?)

Really wanting to start using Subversion again (but not wanting to delve 
into configuration files just yet),

Garret

P.S. Sorry for the duplicate message, Sander.

Sander Roobol wrote:
> On Mon, Jul 21, 2003 at 10:11:23PM +0200, Tobias Ringstr?m wrote:
> 
>>* subversion/include/svn_config.h:
>>  Added new server config file directive, ssl-trust-default-ca.
>>
>>* subversion/libsvn_subr/config_file.c (svn_config_ensure):
>>  Describe ssl-trust-default-ca in generated servers config files.
>>
>>* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
>>  Only trust the default CAs if ssl-trust-default-ca is true.
> 
> 
> Filed as issue 1443:
>   http://subversion.tigris.org/issues/show_bug.cgi?id=1443
> Tobias, I couldn't add you to the CC list of this issue because you
> don't appear to have a tigris.org account. You can create one and add
> yourself to the issue's CC list to receive any updates to this issue by
> mail.
> 
> Sander
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by Sander Roobol <ph...@wanadoo.nl>.

On Mon, Jul 21, 2003 at 10:11:23PM +0200, Tobias Ringstr?m wrote:
> * subversion/include/svn_config.h:
>   Added new server config file directive, ssl-trust-default-ca.
> 
> * subversion/libsvn_subr/config_file.c (svn_config_ensure):
>   Describe ssl-trust-default-ca in generated servers config files.
> 
> * subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
>   Only trust the default CAs if ssl-trust-default-ca is true.

Filed as issue 1443:
  http://subversion.tigris.org/issues/show_bug.cgi?id=1443
Tobias, I couldn't add you to the CC list of this issue because you
don't appear to have a tigris.org account. You can create one and add
yourself to the issue's CC list to receive any updates to this issue by
mail.

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

[PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by Tobias Ringström <to...@ringstrom.mine.nu>.

The only reason I did not choose the extra config file directive is that 
I thought that the system default authorities ought not to be used if 
ssl-authorities-file was used. Well, I've changed my mind because I 
cannot see how that could ever hurt.

Here goes patch number three which adds the new config option 
ssl-trust-default-ca, tested and working. I hope you like it -- I know I 
do! :-)

Here's the new log info:

* subversion/include/svn_config.h:
   Added new server config file directive, ssl-trust-default-ca.

* subversion/libsvn_subr/config_file.c (svn_config_ensure):
   Describe ssl-trust-default-ca in generated servers config files.

* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
   Only trust the default CAs if ssl-trust-default-ca is true.

/Tobias

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by Garret Wilson <ga...@globalmentor.com>.

Tobias Ringström wrote:
> I did add a new boolean config option at first (ssl-system-authorities), 
> but I decided that I did not like it because I figured that the default 
> value would need to change depending on whether ssl-authorities-file was 
> used or not.
> 
> How about the following solution? It will load the system CAs if 
> ssl-authorities-file is not used, but not if ssl-authorities-file is 
> used. You can get around that by prefixing the filename with a plus (+). 

Syntactically, this would generate confusion. A parser would have to 
parse the file to get the value, yet the value itself would have to be 
parsed to separate "optional addition directive" from "filename." How 
this would interact with some file system in the future that allows plus 
signs is unknown.

Semantically, this is mixing two orthogonal ideas into one value: 
boolean:append/replace and string:filename. It would be better to just 
make a separate explicit boolean value, since this is in effect what's 
going on anyway, just with a syntax that's proprietary and confusing.

Garret

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by Tobias Ringström <to...@ringstrom.mine.nu>.

mark benedetto king wrote:
> On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
> 
>>           ne_ssl_load_ca(sess, authorities_file);
>>           ne_ssl_load_ca(sess2, authorities_file);
>>         }
>>+	  else
>>+        {
>>+          ne_ssl_load_default_ca(sess);
>>+          ne_ssl_load_default_ca(sess2);
>>+        }
>> 
> 
> I think that whether-or-not to load the default ca info is orthogonal 
> to whether-or-not to load some user specific ca info, and thus deserves its
> own config option.  All four permutations are reasonable, IMO.

I did add a new boolean config option at first (ssl-system-authorities), 
but I decided that I did not like it because I figured that the default 
value would need to change depending on whether ssl-authorities-file was 
used or not.

How about the following solution? It will load the system CAs if 
ssl-authorities-file is not used, but not if ssl-authorities-file is 
used. You can get around that by prefixing the filename with a plus (+). 
I think that covers all cases. If you want to disable all CAs, you can 
point ssl-authorities-file to an empty file.

Example 1:

     # Add our own CAs to the default ones
     ssl-authorities-file = +/etc/my-CAs.pem

Example 2:

     # Only permit our own CAs:
     ssl-authorities-file = /etc/my-CAs.pem

I've attached the new patch. It applies to trunk rev 6521. Here is the 
log entry:

* subversion/libsvn_subr/config_file.c (svn_config_ensure):
   Explain the meaning of the + prefix for ssl-authorities-file
   in the default server config file.

* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open):
   Load the system default CAs by default, but not if
   ssl-authorities-file is used, unless the filename is
   prefixed by a plus (+).

/Tobias

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by Tobias Ringström <to...@ringstrom.mine.nu>.

mark benedetto king wrote:
> On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
> 
>>           ne_ssl_load_ca(sess, authorities_file);
>>           ne_ssl_load_ca(sess2, authorities_file);
>>         }
>>+	  else
>>+        {
>>+          ne_ssl_load_default_ca(sess);
>>+          ne_ssl_load_default_ca(sess2);
>>+        }
>> 
> 
> I think that whether-or-not to load the default ca info is orthogonal 
> to whether-or-not to load some user specific ca info, and thus deserves its
> own config option.  All four permutations are reasonable, IMO.

Sure, why not, as long as the default CA info is loaded by default. I'll 
look into it right away.

/Tobias


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Re: certificate problems and 403 Forbidden for svn 0.25.0

Posted by mark benedetto king <mb...@lowlatency.com>.

On Mon, Jul 21, 2003 at 12:33:58PM +0200, Tobias Ringström wrote:
>            ne_ssl_load_ca(sess, authorities_file);
>            ne_ssl_load_ca(sess2, authorities_file);
>          }
> +	  else
> +        {
> +          ne_ssl_load_default_ca(sess);
> +          ne_ssl_load_default_ca(sess2);
> +        }
>  

I think that whether-or-not to load the default ca info is orthogonal 
to whether-or-not to load some user specific ca info, and thus deserves its
own config option.  All four permutations are reasonable, IMO.

--ben


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org