subversion should use curl-ca-bundle certificates out of the box

[dave@…]

I had to copy the set of trusted root certificates over from my Linux box. This has really bad consequences, e.g. for people using SVN.

[blb@…]

OpenSSL doesn't install any certificates by design, see ​their FAQ. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?

[dave@…]

Replying to blb@…:

OpenSSL doesn't install any certificates by design, see ​their FAQ. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?

I'm saying precisely this:

1. There should be a package that installs all the standard ca-certificates in the place where openssl's default config looks for them, which happens to be /opt/local/etc/openssl/certs

2. either

1. the openssl package should depend on this package (that's the case on Ubuntu Linux, for example), or
2. Subversion should depend on it

[dave@…]

Hmm, my FreeBSD box also appears to have openssl and subversion with no certificate bundle, so maybe my argument for comment:2 above is a bit weak.

I ran into the problem with svn because one of the tools I use (psvn.el) started passing --non-interactive to its svn update commands, and svn fails in that case unless the certificates are validated... even if you've already permanently accepted a security exception. Maybe this is an SVN bug.

[dave@…]

Hmm, just found ​http://subversion.tigris.org/issues/show_bug.cgi?id=3059, which I think explains problem comment:2.

So maybe this could be worked around in the mac port somehow?

I still want a certificate bundle package that installs where openssl expects to find it :-)

[raimue (Rainer Müller)]

I don't think we have the resources or knowledge to do our own auditing for root CAs, so we would have to rely on existing bundles.

I was unable to locate a root CA bundle on Mac OS X itself, it is not at /etc/openssl/certs. So how and against what would /usr/bin/svn validate certificates?

[(none)]

Milestone Port Bugs deleted

[raimue (Rainer Müller)]

openssl should and will not install certificates.

[nikolaus@…]

Just beacause openssl should not install certificates does not mean that there should not be a port that installs certifcates in a way that openssl finds and uses them. Therefore I think this enhancement is valid and should not be closed with wontfix.

There is already curl-ca-bundle, but unless you do somehting like

sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem

it is not useful in e.g. svn.

Note that there seems to be also this unaddressed issue: #29970

[nikolaus@…]

Cc Me!

[nikolaus@…]

Here are posts / discussions showing that people have issues related to this problem:

• ​http://groups.google.com/group/subversion_users/browse_thread/thread/38dbc2a2dfaa7035
• ​http://blog.55minutes.com/post/15406257966/fixing-https-certificate-errors-in-wget-and-ruby

[raimue (Rainer Müller)]

Adding the curl-ca-bundle to openssl makes sense to me. I think the symlink should be added by the curl-ca-bundle port. Adding Ryan as maintainer to CC.

[ryandesign (Ryan Carsten Schmidt)]

So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?

[jmroot (Joshua Root)]

subversion portfile patch

[nikolaus@…]

Replying to ryandesign@…:

So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?

Do we need to deal with the fact that /opt/local/etc/openssl/cert.pem might already exists (created by the user). Is it possible to put such a symlink in /opt/local/etc/openssl/certs/ also (except that there is #29970), or does this folder need to have the hashvalues of the certificates as filenames for the whole thing to work?

[jmroot (Joshua Root)]

The attached should do it for subversion, provided curl-ca-bundle also installs the link. I tried using the ssl-authority-files setting but it only recognises one cert per file (because that's all the underlying functions in neon and serf will do).

[anddam (Andrea D'Amore)]

Cc Me!

[ryandesign (Ryan Carsten Schmidt)]

Replying to jmr@…:

The attached should do it for subversion, provided curl-ca-bundle also installs the link.

curl-ca-bundle now does as of r90121.

[danielluke (Daniel J. Luke)]

I guess that's my queue, I'll test the patches shortly and get an update to subversion ready.

[danielluke (Daniel J. Luke)]

r90123, thanks!

[cooljeanius (Eric Gallager)]

Cc Me!