#19247 closed enhancement (fixed)
subversion should use curl-ca-bundle certificates out of the box
Reported by: | dave@… | Owned by: | danielluke (Daniel J. Luke) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | blair (Blair Zajac), raimue (Rainer Müller), nikolaus@…, ryandesign (Ryan Carsten Schmidt), anddam (Andrea D'Amore), cooljeanius (Eric Gallager) | |
Port: | subversion curl-ca-bundle |
Description
I had to copy the set of trusted root certificates over from my Linux box. This has really bad consequences, e.g. for people using SVN.
Attachments (3)
Change History (25)
comment:1 follow-up: 2 Changed 16 years ago by blb@…
Priority: | High → Normal |
---|
comment:2 Changed 16 years ago by dave@…
Replying to blb@…:
OpenSSL doesn't install any certificates by design, see their FAQ. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?
I'm saying precisely this:
- There should be a package that installs all the standard ca-certificates in the place where openssl's default config looks for them, which happens to be /opt/local/etc/openssl/certs
- either
- the openssl package should depend on this package (that's the case on Ubuntu Linux, for example), or
- Subversion should depend on it
comment:3 Changed 16 years ago by dave@…
Hmm, my FreeBSD box also appears to have openssl and subversion with no certificate bundle, so maybe my argument for comment:2 above is a bit weak.
I ran into the problem with svn because one of the tools I use (psvn.el) started passing --non-interactive to its svn update commands, and svn fails in that case unless the certificates are validated... even if you've already permanently accepted a security exception. Maybe this is an SVN bug.
comment:4 Changed 16 years ago by dave@…
Hmm, just found http://subversion.tigris.org/issues/show_bug.cgi?id=3059, which I think explains problem comment:2.
So maybe this could be worked around in the mac port somehow?
I still want a certificate bundle package that installs where openssl expects to find it :-)
comment:5 Changed 16 years ago by raimue (Rainer Müller)
Cc: | raimue@… added |
---|
I don't think we have the resources or knowledge to do our own auditing for root CAs, so we would have to rely on existing bundles.
I was unable to locate a root CA bundle on Mac OS X itself, it is not at /etc/openssl/certs. So how and against what would /usr/bin/svn validate certificates?
comment:7 Changed 15 years ago by raimue (Rainer Müller)
Owner: | changed from macports-tickets@… to mww@… |
---|---|
Port: | openssl added |
Type: | defect → enhancement |
comment:8 Changed 15 years ago by raimue (Rainer Müller)
Resolution: | → wontfix |
---|---|
Status: | new → closed |
openssl should and will not install certificates.
comment:9 Changed 13 years ago by nikolaus@…
Resolution: | wontfix |
---|---|
Status: | closed → reopened |
Just beacause openssl should not install certificates does not mean that there should not be a port that installs certifcates in a way that openssl finds and uses them. Therefore I think this enhancement is valid and should not be closed with wontfix.
There is already curl-ca-bundle, but unless you do somehting like
sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem
it is not useful in e.g. svn.
Note that there seems to be also this unaddressed issue: #29970
comment:11 Changed 13 years ago by nikolaus@…
Here are posts / discussions showing that people have issues related to this problem:
comment:12 Changed 13 years ago by raimue (Rainer Müller)
Cc: | ryandesign@… added |
---|---|
Port: | curl-ca-bundle added |
Adding the curl-ca-bundle to openssl makes sense to me. I think the symlink should be added by the curl-ca-bundle port. Adding Ryan as maintainer to CC.
comment:13 follow-up: 15 Changed 13 years ago by ryandesign (Ryan Carsten Schmidt)
So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?
comment:14 Changed 13 years ago by jmroot (Joshua Root)
Cc: | blair@… added |
---|---|
Owner: | changed from mww@… to dluke@… |
Port: | subversion added; openssl removed |
Status: | reopened → new |
Summary: | openssl doesn't install any certificates → subversion should use curl-ca-bundle certificates out of the box |
Version: | 1.7.1 |
Changed 13 years ago by jmroot (Joshua Root)
Attachment: | Portfile.diff added |
---|
subversion portfile patch
Changed 13 years ago by jmroot (Joshua Root)
Attachment: | config_impl.h.patch added |
---|
Changed 13 years ago by jmroot (Joshua Root)
Attachment: | servers.default added |
---|
comment:15 Changed 13 years ago by nikolaus@…
Replying to ryandesign@…:
So what do I need to do here? Just make the curl-ca-bundle port also install a symlink /opt/local/etc/openssl/cert.pem pointing to /opt/local/share/curl/curl-ca-bundle.crt?
Do we need to deal with the fact that /opt/local/etc/openssl/cert.pem might already exists (created by the user). Is it possible to put such a symlink in /opt/local/etc/openssl/certs/ also (except that there is #29970), or does this folder need to have the hashvalues of the certificates as filenames for the whole thing to work?
comment:16 follow-up: 18 Changed 13 years ago by jmroot (Joshua Root)
The attached should do it for subversion, provided curl-ca-bundle also installs the link. I tried using the ssl-authority-files setting but it only recognises one cert per file (because that's all the underlying functions in neon and serf will do).
comment:18 Changed 13 years ago by ryandesign (Ryan Carsten Schmidt)
comment:19 Changed 13 years ago by danielluke (Daniel J. Luke)
I guess that's my queue, I'll test the patches shortly and get an update to subversion ready.
comment:20 Changed 13 years ago by danielluke (Daniel J. Luke)
Status: | new → assigned |
---|
comment:21 Changed 13 years ago by danielluke (Daniel J. Luke)
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
r90123, thanks!
OpenSSL doesn't install any certificates by design, see their FAQ. For other sources of certs there is the curl-ca-bundle for curl's use. Are you saying that subversion should have something similar?