ssl-authorities-file

[js...@pobox.com]

I recently upgraded from Subversion 0.20 to 0.26. When I did so I began 
getting the following message:

Error validating server certificate: Unknown certificate issuer. Accept? (y/N):

As best as I can understand it, this is caused because my certificate has 
the name "foobar.net" in it but the actual name is "dev.foobar.net". As has 
been stated in previous emails to this list, the first time it asks it 
waits for an answer, the second time it asks it seems to just quit before 
you can answer. I looked through the archives and it seems that the answer 
is to use the "ssl-authorities-file" configuration option.

I copied the servers certificate file (foobar.net.crt) to 
c:\foobar.net.crt. I inserted the following lines in the servers file:

[groups]
foobar = dev.foobar.net

[foobar]
ssl-authorities-file = /foobar.net.crt


Unfortunately, it continues to ask me the question. My server is running 
Linux and my clients are running Windows 2000.

Any suggestions? What am I doing wrong?

Thanks,

Jason Stewart

Re: ssl-authorities-file

[John Locke <ma...@freelock.com>]

jstewart@pobox.com wrote:

> Thanks for replying.
>
>
>> You're confusing the meaning of 'ssl-authorities-file'.  It means, "which
>> CA's do I trust?"   It's supposed point to the certificate of the 
>> *CA* that
>> signed the server cert, not to the server cert itself.
>
>
> I'll not dispute this. However, my certificate is signed by GeoTrust. 
> I went to their website (www.geotrust.com <http://www.geotrust.com/>) 
> and downloaded their certificate. I changed by servers file to point 
> to it and still no joy.
>
You're still confusing the Certificate Authority with the Certificate.

You state in your original email:

> As best as I can understand it, this is caused because my certificate 
> has the name "foobar.net" in it but the actual name is "dev.foobar.net".

That sounds like the problem.

In your configuration, all you did was tell Subversion to trust the 
Geotrust Certificate Authority to authenticate server certificates--but 
your server certificate doesn't match the server, so Subversion 
continues to fail.

You can either generate a certificate for dev.foobar.net, sign by 
Geotrust (or create your own CA to sign your certificates, and copy your 
CA's certificate to c:\foobar.net.crt), and install it in your web 
server, or use the ssl-ignore-host-mismatch option in Subversion.

Cheers,
John

P.S. This sounds like it belongs on the Users list, not the Dev list...


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: ssl-authorities-file

[js...@pobox.com]

Thanks for replying.


>You're confusing the meaning of 'ssl-authorities-file'.  It means, "which
>CA's do I trust?"   It's supposed point to the certificate of the *CA* that
>signed the server cert, not to the server cert itself.

I'll not dispute this. However, my certificate is signed by GeoTrust. I 
went to their website (www.geotrust.com) and downloaded their certificate. 
I changed by servers file to point to it and still no joy.


Jason Stewart

Re: ssl-authorities-file

[su...@collab.net]

> I copied the servers certificate file (foobar.net.crt) to
> c:\foobar.net.crt. I inserted the following lines in the servers file:
>
> [groups]
> foobar = dev.foobar.net
>
> [foobar]
> ssl-authorities-file = /foobar.net.crt
>
>
> Unfortunately, it continues to ask me the question. My server is
> running  Linux and my clients are running Windows 2000.
>
> Any suggestions? What am I doing wrong?

You're confusing the meaning of 'ssl-authorities-file'.  It means, "which
CA's do I trust?"   It's supposed point to the certificate of the *CA* that
signed the server cert, not to the server cert itself.




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org