You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-issues@apache.org by "Daniel Gruno (JIRA)" <ji...@apache.org> on 2014/12/09 17:41:12 UTC

[jira] [Resolved] (INFRA-8814) Different certs for svn.us/.eu mean svn.geo redirection does not work properly

     [ https://issues.apache.org/jira/browse/INFRA-8814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Gruno resolved INFRA-8814.
---------------------------------
    Resolution: Fixed
      Assignee: Daniel Gruno

All fixed with the new roll-out.
Sorry for the inconvenience!

> Different certs for svn.us/.eu mean svn.geo redirection does not work properly
> ------------------------------------------------------------------------------
>
>                 Key: INFRA-8814
>                 URL: https://issues.apache.org/jira/browse/INFRA-8814
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: Subversion
>            Reporter: Sebb
>            Assignee: Daniel Gruno
>            Priority: Critical
>
> svn.apache.org resolves via svn.geo.apache.org to either svn.eu.a.o or svn.us.a.o
> By default the SVN client does not know about the CA cert that is used by the svn hosts; this can be overridden by accepting the certificate using the fingerprint as validation.
> This certificate etc. is stored in a file in .subversion/auth/svn.ssl.server/
> The file name is derived from the host name, rather than the IP address.
> [Looks like some kind of hash] So next time the URL is used SVN no longer needs to prompt.
> However this relies on the same certificate always being returned for a given host address.
> This is no longer the case, as the EU and US servers now have different certicates.
> So unless the svn.geo.a.o address always resolves to the same host for a given user, the SVN client will no longer be able to login without user intervention.
> I have tried this locally (by defining different IPs for svn.apache.org) and the SVN client prompts each time svn.apache.org is swapped between EU and US.
> There is no guarantee that svn.a.o will always return the same IP address.
> Especially on a system that may connect via different ISPs or with dynamic IPs. Even my fixed IP gets different  values at different times.
> This causes lots of problems.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)