Opened 16 years ago

Closed 13 years ago

Last modified 12 years ago

#19247 closed enhancement (fixed)

subversion should use curl-ca-bundle certificates out of the box

Reported by: dave@… Owned by: danielluke (Daniel J. Luke)
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc: blair (Blair Zajac), raimue (Rainer Müller), nikolaus@…, ryandesign (Ryan Carsten Schmidt), anddam (Andrea D'Amore), cooljeanius (Eric Gallager)
Port: subversion curl-ca-bundle

Description

I had to copy the set of trusted root certificates over from my Linux box. This has really bad consequences, e.g. for people using SVN.

Attachments (3)

Portfile.diff (1.4 KB) - added by jmroot (Joshua Root) 13 years ago.
subversion portfile patch
config_impl.h.patch (560 bytes) - added by jmroot (Joshua Root) 13 years ago.
servers.default (36 bytes) - added by jmroot (Joshua Root) 13 years ago.

Download all attachments as: .zip

Change History (25)

comment:1 Changed 16 years ago by blb@…

Priority: HighNormal

OpenSSL doesn't install any certificates by design, see their FAQ. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?

comment:2 in reply to:  1 Changed 16 years ago by dave@…

Replying to blb@…:

OpenSSL doesn't install any certificates by design, see their FAQ. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?

I'm saying precisely this:

  1. There should be a package that installs all the standard ca-certificates in the place where openssl's default config looks for them, which happens to be /opt/local/etc/openssl/certs
  1. either
  1. the openssl package should depend on this package (that's the case on Ubuntu Linux, for example), or
  2. Subversion should depend on it

comment:3 Changed 16 years ago by dave@…

Hmm, my FreeBSD box also appears to have openssl and subversion with no certificate bundle, so maybe my argument for comment:2 above is a bit weak.

I ran into the problem with svn because one of the tools I use (psvn.el) started passing --non-interactive to its svn update commands, and svn fails in that case unless the certificates are validated... even if you've already permanently accepted a security exception. Maybe this is an SVN bug.

comment:4 Changed 16 years ago by dave@…

Hmm, just found http://subversion.tigris.org/issues/show_bug.cgi?id=3059, which I think explains problem comment:2.

So maybe this could be worked around in the mac port somehow?

I still want a certificate bundle package that installs where openssl expects to find it :-)

comment:5 Changed 16 years ago by raimue (Rainer Müller)

Cc: raimue@… added

I don't think we have the resources or knowledge to do our own auditing for root CAs, so we would have to rely on existing bundles.

I was unable to locate a root CA bundle on Mac OS X itself, it is not at /etc/openssl/certs. So how and against what would /usr/bin/svn validate certificates?

comment:6 Changed 16 years ago by (none)

Milestone: Port Bugs

Milestone Port Bugs deleted

comment:7 Changed 15 years ago by raimue (Rainer Müller)

Owner: changed from macports-tickets@… to mww@…
Port: openssl added
Type: defectenhancement

comment:8 Changed 15 years ago by raimue (Rainer Müller)

Resolution: wontfix
Status: newclosed

openssl should and will not install certificates.

comment:9 Changed 13 years ago by nikolaus@…

Resolution: wontfix
Status: closedreopened

Just beacause openssl should not install certificates does not mean that there should not be a port that installs certifcates in a way that openssl finds and uses them. Therefore I think this enhancement is valid and should not be closed with wontfix.

There is already curl-ca-bundle, but unless you do somehting like

sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem

it is not useful in e.g. svn.

Note that there seems to be also this unaddressed issue: #29970

comment:10 Changed 13 years ago by nikolaus@…

Cc: nikolaus@… added

Cc Me!

comment:12 Changed 13 years ago by raimue (Rainer Müller)

Cc: ryandesign@… added
Port: curl-ca-bundle added

Adding the curl-ca-bundle to openssl makes sense to me. I think the symlink should be added by the curl-ca-bundle port. Adding Ryan as maintainer to CC.

comment:13 Changed 13 years ago by ryandesign (Ryan Carsten Schmidt)

So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?

comment:14 Changed 13 years ago by jmroot (Joshua Root)

Cc: blair@… added
Owner: changed from mww@… to dluke@…
Port: subversion added; openssl removed
Status: reopenednew
Summary: openssl doesn't install any certificatessubversion should use curl-ca-bundle certificates out of the box
Version: 1.7.1

Changed 13 years ago by jmroot (Joshua Root)

Attachment: Portfile.diff added

subversion portfile patch

Changed 13 years ago by jmroot (Joshua Root)

Attachment: config_impl.h.patch added

Changed 13 years ago by jmroot (Joshua Root)

Attachment: servers.default added

comment:15 in reply to:  13 Changed 13 years ago by nikolaus@…

Replying to ryandesign@…:

So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?

Do we need to deal with the fact that /opt/local/etc/openssl/cert.pem might already exists (created by the user). Is it possible to put such a symlink in /opt/local/etc/openssl/certs/ also (except that there is #29970), or does this folder need to have the hashvalues of the certificates as filenames for the whole thing to work?

comment:16 Changed 13 years ago by jmroot (Joshua Root)

The attached should do it for subversion, provided curl-ca-bundle also installs the link. I tried using the ssl-authority-files setting but it only recognises one cert per file (because that's all the underlying functions in neon and serf will do).

comment:17 Changed 13 years ago by anddam (Andrea D'Amore)

Cc: and.damore@… added

Cc Me!

comment:18 in reply to:  16 Changed 13 years ago by ryandesign (Ryan Carsten Schmidt)

Replying to jmr@…:

The attached should do it for subversion, provided curl-ca-bundle also installs the link.

curl-ca-bundle now does as of r90121.

comment:19 Changed 13 years ago by danielluke (Daniel J. Luke)

I guess that's my queue, I'll test the patches shortly and get an update to subversion ready.

comment:20 Changed 13 years ago by danielluke (Daniel J. Luke)

Status: newassigned

comment:21 Changed 13 years ago by danielluke (Daniel J. Luke)

Resolution: fixed
Status: assignedclosed

r90123, thanks!

comment:22 Changed 12 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

Note: See TracTickets for help on using tickets.