stoneCC / serf

Automatically exported from code.google.com/p/serf
Apache License 2.0
0 stars 0 forks source link

Subversion doesn't allow saving common certificate problems with serf. #84

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. svn --config-option servers:global:http-library=serf info 
https://svn.apache.org/repos/asf
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
 - The certificate has an unknown error.
<snip>
(R)eject or accept (t)emporarily?

What is the expected output?
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
<snip>
(R)eject, accept (t)emporarily or accept (p)ermanently?

I see the problem with Subversion trunk or recent 1.7 and any serf version.

This is caused by not handling several openssl error codes in serf, which then 
fall in the generic openssl error category. This category explicitly doesn't 
allow saving permanently.

This patch fixes the problem:

Index: buckets/ssl_buckets.c
===================================================================
--- buckets/ssl_buckets.c   (revision 1569)
+++ buckets/ssl_buckets.c   (working copy)
@@ -418,6 +419,9 @@ validate_server_certificate(int cert_valid, X509_S
                     failures |= SERF_SSL_CERT_SELF_SIGNED;
                     break;
             case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+            case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+            case X509_V_ERR_CERT_UNTRUSTED:
+            case X509_V_ERR_INVALID_CA:
                     failures |= SERF_SSL_CERT_UNKNOWNCA;
                     break;
             default:

Original issue reported on code.google.com by b...@qqmail.nl on 20 Mar 2012 at 12:28

GoogleCodeExporter commented 9 years ago
Note that I removed the first hunk of this patch, so you might get a warning on 
changed offsets.

Original comment by b...@qqmail.nl on 20 Mar 2012 at 12:30

GoogleCodeExporter commented 9 years ago
This has been applied and incorporated into the 1.0.3 release.

Thanks!

Original comment by gstein on 20 Mar 2012 at 7:53